Alon Leviev

**Name of the Vulnerable Software and Affected Versions** Windows Boot Loader (affected versions not specified) **Description** Reliance on untrusted inputs in a security decision allows an authorized attacker to bypass a security feature locally. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Windows BitLocker (affected versions not specified) **Description** Improper input validation in Windows BitLocker allows an unauthorized attacker to bypass a security feature, specifically Secure Boot, locally. This issue poses a risk to data integrity and confidentiality, particularly within enterprise device security architectures. **Recommendations** Apply the April 2026 security updates.

Name of the Vulnerable Software and Affected Versions: Windows BitLocker (affected versions not specified) Description: A protection mechanism failure in Windows BitLocker allows an unauthorized attacker to bypass a security feature with a physical attack. This issue enables attackers to access encrypted data. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Windows BitLocker (affected versions not specified) **Description** An issue exists where the acceptance of extraneous untrusted data alongside trusted data allows an unauthorized attacker to bypass a security feature. This exploit requires physical access to the system and can be achieved through a downgrade attack. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Windows BitLocker (affected versions not specified) Description: A protection mechanism failure in Windows BitLocker allows an unauthorized attacker to bypass a security feature with a physical attack. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Windows BitLocker (affected versions not specified) Description: A time-of-check time-of-use (toctou) race condition in Windows BitLocker allows an unauthorized attacker to bypass a security feature with a physical attack. This issue raises concerns about the safety of encrypted data. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Windows BitLocker (affected versions not specified) Description: A time-of-check time-of-use (toctou) race condition exists, allowing an unauthorized attacker to bypass a security feature with a physical attack. This issue enables attackers to circumvent the encryption provided by BitLocker. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Windows versions prior to the April 2025 security updates Windows 10 versions prior to the April 2025 security updates Windows 11 versions prior to the April 2025 security updates Windows Server 2016 and higher versions prior to the April 2025 security updates Azure Virtual Machines (VM) that support Virtualization Based Security (VBS) prior to the April 2025 security updates **Description** An elevation of privilege vulnerability exists in Windows based systems supporting Virtualization Based Security (VBS), including a subset of Azure Virtual Machine SKUS. This vulnerability enables an attacker with administrator privileges to replace current versions of Windows system files with outdated versions. By exploiting this vulnerability, an attacker could reintroduce previously mitigated vulnerabilities, circumvent some features of VBS, and exfiltrate data protected by VBS. **Recommendations** To comprehensively address this issue, install the April 2025 security updates for all supported editions of Windows. For customers running affected versions of Windows, review KB5042562: Guidance for blocking rollback of virtualization-based security related updates to assess if the opt-in policy meets the needs of their environment before implementing this mitigation. Configure settings to monitor and log access attempts to critical system files. Review Identity Protection’s Risk Reports in Azure Active Directory.

**Name of the Vulnerable Software and Affected Versions** Windows Update (affected versions not specified) **Description** The issue is related to insufficient access control in Windows Update, potentially allowing an attacker with basic user privileges to reintroduce previously mitigated vulnerabilities or circumvent some features of Virtualization Based Security (VBS). Exploitation requires additional interaction by a privileged user. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Sourcecodester Engineers Online Portal (affected versions not specified) **Description** A Stored Cross Site Scripting (XSS) issue exists in the Sourcecodester Engineers Online Portal in PHP. This is due to the `quiz title` and `quiz description` parameters in the "add quiz.php" endpoint. An attacker can leverage this issue to run javascript commands on the web server surfer's behalf, potentially leading to cookie stealing. **Recommendations** As a temporary workaround, consider restricting access to the "add quiz.php" endpoint until a patch is available. Avoid using the `quiz title` and `quiz description` parameters in the affected endpoint until the issue is resolved. Restrict the execution of javascript commands on the web server to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Sourcecodester Online Event Booking and Reservation System (affected versions not specified) **Description** The issue exists due to the lack of measures to neutralize special elements, allowing a remote attacker to exploit it and potentially disclose protected information. An HTML injection vulnerability is present in the system via the `msg` parameter to "/event-management/index.php". This vulnerability can be leveraged by an attacker to change the visibility of the website. Once a target user clicks on a given link, they will display the content of the attacker's chosen HTML code. **Recommendations** As a temporary workaround, consider restricting access to the `/event-management/index.php` endpoint until a patch is available. Avoid using the `msg` parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Sourcecodester Engineers Online Portal (affected versions not specified) **Description** An incorrect access control issue exists in the Sourcecodester Engineers Online Portal in PHP, specifically in the nia munoz monitoring system/admin/uploads directory. This allows an attacker to bypass access controls and access all files uploaded to the web server without needing authentication or authorization. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Sourcecodester Engineers Online Portal (affected versions not specified) **Description** A file upload issue exists, allowing attackers to change the avatar through `teacher avatar.php` in `dashboard teacher.php`. Uploaded files are stored in the `/admin/uploads/` directory and are accessible to all users. An attacker can upload a PHP webshell containing `<?php system($ GET["cmd"]); ?>` and execute commands on the web server by accessing the uploaded file, for example, `/admin/uploads/php-webshell?cmd=id`. This allows for command execution with potentially elevated privileges. **Recommendations** As a temporary workaround, consider disabling the `teacher avatar.php` functionality until a patch is available. Restrict access to the `/admin/uploads/` directory to minimize the risk of exploitation. Avoid using the `cmd` parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Sourcecodester Engineers Online Portal (affected versions not specified) **Description** A SQL Injection issue exists in the Sourcecodester Engineers Online Portal in PHP, specifically via the `id` parameter in the "my classmates.php" web page. This allows an attacker to extract sensitive data from the web server and potentially achieve remote code execution on the remote web server. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Sourcecodester Online Event Booking and Reservation System (affected versions not specified) **Description** A Stored Cross Site Scripting (XSS) issue exists due to inadequate protection of the web page structure. This allows a remote attacker to run javascript commands on behalf of the web server user, potentially leading to cookie stealing and other malicious activities. The vulnerability is specifically related to the `Holiday reason` parameter. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.