Aslam Anwar Mahimkar

**Name of the Vulnerable Software and Affected Versions** Krayin CRM version 1.3.0 **Description** The issue is related to a Cross Site Scripting (XSS) vulnerability. It occurs through the organization name field in the "/admin/contacts/organizations/edit/2" endpoint. This allows for potential malicious script injection. **Recommendations** For Krayin CRM version 1.3.0, as a temporary workaround, consider restricting access to the "/admin/contacts/organizations/edit/2" endpoint until a patch is available. Additionally, avoid using the `organization name` field in this endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** OnlineNewsSite version 1.0 **Description** The issue allows attackers to execute arbitrary code via the `Title` and `summary` fields in the "/admin/post/edit/" endpoint. This enables attackers to run any code they want. **Recommendations** For OnlineNewsSite version 1.0, as a temporary workaround, consider disabling the editing functionality in the "/admin/post/edit/" endpoint until a patch is available. Restrict access to the `Title` and `summary` fields to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Sourcecodehero Event Management System version 1.0 **Description** The issue is related to a SQL Injection vulnerability via the parameter `username` in the "/event/admin/login.php" endpoint. This allows attackers to remotely compromise databases. There is no information provided about the estimated number of potentially affected devices worldwide or real-world incidents where this issue was exploited. **Recommendations** For Sourcecodehero Event Management System version 1.0, patch immediately and validate input sanitization to prevent SQL injection attacks. As a temporary workaround, consider restricting access to the "/event/admin/login.php" endpoint until a patch is available. Avoid using the parameter `username` in the affected endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Sourcecodehero Event Management System version 1.0 **Description** The issue is a Stored Cross-Site Scripting vulnerability. It occurs through the parameters `Full Name`, `Address`, `Email`, and `contact#` in the "/clientdetails/admin/regester.php" API endpoint. **Recommendations** For Sourcecodehero Event Management System version 1.0, as a temporary workaround, consider restricting access to the "/clientdetails/admin/regester.php" endpoint until a patch is available. Avoid using the parameters `Full Name`, `Address`, `Email`, and `contact#` in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Aegon Life version 1.0 **Description** An arbitrary file upload vulnerability allows attackers to execute arbitrary code via uploading a crafted image file. This issue arises due to improper input validation, enabling attackers to upload malicious files and potentially gain control over the target system. **Recommendations** For Aegon Life version 1.0, consider disabling the image upload feature until a patch is available to prevent exploitation of this vulnerability. Restrict access to sensitive areas of the system where uploaded files are processed to minimize the risk of arbitrary code execution.

**Name of the Vulnerable Software and Affected Versions** Aegon Life version 1.0 **Description** A cross-site scripting (XSS) issue allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the `name` parameter at "insertClient.php". **Recommendations** For Aegon Life version 1.0, consider disabling access to the "insertClient.php" endpoint until a patch is available, or restrict the `name` parameter to prevent injection of malicious payloads. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Aegon Life version 1.0 **Description** The issue is a SQL injection vulnerability. It can be exploited via the `client id` parameter at the "clientStatus.php" endpoint. **Recommendations** For Aegon Life version 1.0, as a temporary workaround, consider restricting access to the "clientStatus.php" endpoint until a patch is available. Avoid using the `client id` parameter in the affected endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.