Anirudh Krishnaprasad

**Name of the Vulnerable Software and Affected Versions** projectworlds Travel management System version 1.0 **Description** A SQL Injection issue allows a remote attacker to execute arbitrary code via the `t2` parameter in "deletesubcategory.php". This enables the attacker to potentially access and manipulate sensitive data. **Recommendations** For projectworlds Travel management System version 1.0, consider restricting access to the "deletesubcategory.php" file until a patch is available. As a temporary workaround, avoid using the `t2` parameter in the affected API endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ProjectWorld's Travel Management System version 1.0 **Description** The issue allows remote attackers to bypass authentication via SQL Injection in the `username` and `password` fields. This is a result of a SQL Injection vulnerability in the loginform.php file. **Recommendations** For ProjectWorld's Travel Management System version 1.0, consider temporarily disabling the login functionality until a patch is available. Restrict access to the loginform.php file to minimize the risk of exploitation. Avoid using the `username` and `password` fields in the affected login form until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Travel Management System version 1.0 **Description** The issue allows a remote attacker to inject arbitrary code via the `t2` parameter in the `addcategory.php` file. This enables the attacker to execute malicious scripts on the victim's browser, potentially leading to unauthorized actions or data theft. **Recommendations** For Travel Management System version 1.0, consider disabling access to the `addcategory.php` file or restricting the use of the `t2` parameter until a patch is available. As a temporary workaround, avoid using the `t2` parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Agile-Board version 1.0 **Description** A Host header injection issue allows attackers to obtain the password reset token via user interaction with a crafted password reset link. This is achieved through exploiting the Host header injection vulnerability, which enables attackers to manipulate the password reset process. **Recommendations** For Agile-Board version 1.0, consider restricting access to password reset links until a patch is available. As a temporary workaround, avoid using crafted password reset links to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.