Asier Barranco

**Name of the Vulnerable Software and Affected Versions** SportsNET version 4.0.1 **Description** The issue concerns SQL injection vulnerabilities that could allow an attacker to retrieve, update, and delete all information in the database by sending a specially crafted SQL query to the API endpoint: https://XXXXXXX.saludydesafio.com/conexiones/ax/openTracExt/, using the parameter `categoria`. **Recommendations** For SportsNET version 4.0.1, consider disabling access to the `categoria` parameter in the affected API endpoint until a patch is available. Restrict access to the database to minimize the risk of exploitation. Avoid using the `categoria` parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SportsNET version 4.0.1 **Description** The issue concerns SQL injection vulnerabilities that could allow an attacker to retrieve, update, and delete all information in the database by sending a specially crafted SQL query to the "/ax/registerSp/" API endpoint, using the `idDesafio` parameter. This poses serious cybersecurity risks, as attackers can exploit these flaws to manipulate database data. **Recommendations** For SportsNET version 4.0.1, consider disabling the `idDesafio` parameter in the "/ax/registerSp/" API endpoint as a temporary workaround until a patch is available. Restrict access to this endpoint to minimize the risk of exploitation. Avoid using the `idDesafio` parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SportsNET version 4.0.1 **Description** The issue concerns SQL injection vulnerabilities that could allow an attacker to retrieve, update, and delete all information in the database by sending a specially crafted SQL query to the endpoint: https://XXXXXXX.saludydesafio.com/app/ax/sort bloques/, using the `parameter list`. This vulnerability enables attackers to access, modify, or delete database information via manipulated SQL queries. **Recommendations** For SportsNET version 4.0.1, as a temporary workaround, consider restricting access to the vulnerable endpoint until a patch is available. Avoid using the vulnerable `parameter list` in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SportsNET version 4.0.1 **Description** The issue concerns SQL injection vulnerabilities that could allow an attacker to retrieve, update, and delete all information in the database by sending a specially crafted SQL query to the "/app/ax/setAsRead/" endpoint, using the `id` parameter. **Recommendations** For SportsNET version 4.0.1, as a temporary workaround, consider restricting access to the "/app/ax/setAsRead/" endpoint until a patch is available. Additionally, avoid using the `id` parameter in this endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SportsNET version 4.0.1 **Description** The issue concerns SQL injection vulnerabilities that could allow an attacker to retrieve, update, and delete all information in the database by sending a specially crafted SQL query to the "/app/ax/sendParticipationRemember/" endpoint, using the `send` parameter. **Recommendations** For SportsNET version 4.0.1, as a temporary workaround, consider restricting access to the "/app/ax/sendParticipationRemember/" endpoint until a patch is available. Additionally, avoid using the `send` parameter in this endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SportsNET version 4.0.1 **Description** The issue concerns SQL injection vulnerabilities that could allow an attacker to retrieve, update, and delete all information in the database by sending a specially crafted SQL query. The vulnerable API endpoint is "https://XXXXXXX.saludydesafio.com/app/ax/inscribeUsuario/", and the parameter `idDesafio` is involved. **Recommendations** For version 4.0.1, consider disabling access to the vulnerable API endpoint "https://XXXXXXX.saludydesafio.com/app/ax/inscribeUsuario/" until a patch is available. Additionally, restrict the use of the `idDesafio` parameter in this endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SportsNET version 4.0.1 **Description** The issue concerns SQL injection vulnerabilities that could allow an attacker to retrieve, update, and delete all information in the database by sending a specially crafted SQL query. The vulnerable parameter is `url` in the API endpoint "https://XXXXXXX.saludydesafio.com/app/ax/generateShortURL/". **Recommendations** For SportsNET version 4.0.1, consider disabling the SQL query functionality or restricting access to the vulnerable API endpoint until a patch is available. Avoid using the `url` parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SportsNET version 4.0.1 **Description** The issue concerns SQL injection vulnerabilities that could allow an attacker to retrieve, update, and delete all information in the database by sending a specially crafted SQL query to the `/app/ax/consejoRandom/` endpoint, using the `idCat` parameter. This vulnerability enables attackers to manipulate queries and access, alter, or erase database information. **Recommendations** For SportsNET version 4.0.1, consider disabling the `idCat` parameter in the `/app/ax/consejoRandom/` endpoint as a temporary workaround until a patch is available. Restrict access to this endpoint to minimize the risk of exploitation. Avoid using the `idCat` parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SportsNET version 4.0.1 **Description** The issue concerns SQL injection vulnerabilities that could allow an attacker to retrieve, update, and delete all information in the database by sending a specially crafted SQL query. The vulnerable API endpoint is "https://XXXXXXX.saludydesafio.com/app/ax/checkBlindFields/", with vulnerable parameters `idChallenge` and `idEmpresa`. **Recommendations** For SportsNET version 4.0.1, consider disabling access to the `/app/ax/checkBlindFields/` endpoint until a patch is available. Additionally, restrict the use of the `idChallenge` and `idEmpresa` parameters in this endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: ATISolutions CIGES versions prior to 2.15.5 Description: The issue is a SQL injection vulnerability that allows a remote attacker to send a specially crafted SQL query to the "/modules/ajaxServiciosCentro.php" endpoint in the `idCentro` parameter and retrieve all the information stored in the database. Recommendations: For versions prior to 2.15.5, update to version 2.15.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the "/modules/ajaxServiciosCentro.php" endpoint or validating and sanitizing the `idCentro` parameter to prevent malicious SQL queries.