Astra.R3Verii

**Name of the Vulnerable Software and Affected Versions** WC Affiliate versions n/a through 2.9.1 **Description** The issue is related to Deserialization of Untrusted Data, which allows Object Injection. This is a problem where an application deserializes data from an untrusted source, potentially leading to the execution of malicious code. **Recommendations** For versions n/a through 2.9.1, update to a version later than 2.9.1 to resolve the issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** LETSCMS MLM Software Binary MLM Plan versions n/a through 3.0 **Description** The issue is related to an SQL Injection vulnerability due to improper neutralization of special elements used in an SQL command. This allows for SQL Injection attacks. **Recommendations** For versions n/a through 3.0, update to a version that fixes the SQL Injection issue to prevent exploitation. As a temporary workaround, consider restricting access to sensitive database operations until a patch is available. Avoid using user-supplied input in SQL commands without proper sanitization until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** STAGGS versions n/a through 2.11.0 **Description** The issue allows for the unrestricted upload of files with dangerous types, enabling the upload of a web shell to a web server. This can lead to potential security breaches. **Recommendations** For versions n/a through 2.11.0, consider restricting file uploads to only allow safe file types and implement proper validation and sanitization of uploaded files to prevent the upload of malicious content, such as web shells. As a temporary workaround, consider disabling file upload functionality until a proper fix is applied.

**Name of the Vulnerable Software and Affected Versions** 6Storage Rentals versions n/a through 2.19.4 **Description** The issue is related to a Missing Authorization vulnerability in 6Storage Rentals, which allows Path Traversal. **Recommendations** For versions n/a through 2.19.4, update to a version that includes the necessary authorization checks to prevent Path Traversal attacks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Nomupay Payment Processing Gateway versions n/a through 7.1.7 **Description** The issue is related to an Improper Limitation of a Pathname to a Restricted Directory, also known as 'Path Traversal'. This allows unauthorized access to files and directories outside the intended restricted directory. **Recommendations** For Nomupay Payment Processing Gateway versions n/a through 7.1.7, update to a version later than 7.1.7 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Tainacan versions 0.21.14 and earlier **Description** The issue is related to an Improper Limitation of a Pathname to a Restricted Directory, also known as 'Path Traversal'. This allows unauthorized access to files and directories outside the intended restricted directory. **Recommendations** For versions 0.21.14 and earlier, update to a version that includes a fix for this issue, as no specific workaround is provided for these versions. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** dastan800 Visual Builder versions 1.2.2 and earlier **Description** The issue is related to a Missing Authorization vulnerability that allows Reflected XSS in dastan800 Visual Builder. **Recommendations** For versions 1.2.2 and earlier, update to a version that includes a fix for this issue, as no specific mitigation measures are provided.

**Name of the Vulnerable Software and Affected Versions** Crossword Compiler Puzzles versions 5.2 and earlier **Description** The issue allows for the unrestricted upload of files with dangerous types, enabling an attacker to upload a web shell to a web server. This can lead to further exploitation and potential control of the server. **Recommendations** For versions 5.2 and earlier, consider restricting or disabling file upload functionality until a fix is available. As a temporary workaround, implement strict validation and sanitization of uploaded files to prevent the execution of malicious code.

**Name of the Vulnerable Software and Affected Versions** Infocob CRM Forms versions n/a through 2.4.0 **Description** The issue is related to an Improper Limitation of a Pathname to a Restricted Directory, also known as 'Path Traversal'. This allows for Path Traversal in Infocob CRM Forms. **Recommendations** For versions n/a through 2.4.0, update to a version that contains a fix for this issue, as the current version allows Path Traversal due to improper limitation of pathnames. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Facturante versions n/a through 1.11 **Description** The issue is related to an SQL Injection vulnerability due to improper neutralization of special elements used in an SQL command. This allows for SQL Injection attacks. **Recommendations** For versions n/a through 1.11, update to a version that includes a fix for this SQL Injection issue, as using special elements in SQL commands without proper neutralization poses a significant risk. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: davidfcarr RSVPMarker versions n/a through 11.5.6 Description: The issue is related to an SQL Injection vulnerability due to improper neutralization of special elements used in an SQL command. This allows for SQL Injection attacks, potentially leading to system breaches. Recommendations: For versions n/a through 11.5.6, update to a version later than 11.5.6 to resolve the SQL Injection issue. As a temporary workaround, consider restricting access to SQL commands to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: EventON versions through 2.4.4 Description: The issue is related to a Missing Authorization vulnerability, which allows accessing functionality not properly constrained by ACLs. Recommendations: For versions through 2.4.4, update to a version later than 2.4.4 to resolve the issue.

Name of the Vulnerable Software and Affected Versions: berthaai BERTHA AI versions 1.12.11 and earlier Description: The issue is related to a Missing Authorization vulnerability, which allows exploitation of incorrectly configured access control security levels. Recommendations: For versions 1.12.11 and earlier, update to a version that contains a fix for this issue. As a temporary workaround, consider restricting access to sensitive areas of the application to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Eventin versions n/a through 4.0.26 Description: The issue affects Themewinter Eventin, allowing Relative Path Traversal. This enables Path Traversal, which can be exploited. Recommendations: For versions n/a through 4.0.26, update to a version later than 4.0.26 to resolve the issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SMS Alert Order Notifications – WooCommerce versions 3.8.2 and earlier **Description** The issue is related to an SQL Injection vulnerability due to improper neutralization of special elements used in an SQL command. This allows for SQL Injection, which can be exploited by attackers. The estimated number of potentially affected devices worldwide is not provided. There is no information about real-world incidents where this issue was exploited. **Recommendations** For versions 3.8.2 and earlier, update to a version later than 3.8.2 to resolve the issue. As a temporary workaround, consider restricting access to sensitive database queries to minimize the risk of exploitation. Avoid using user-supplied input in SQL commands until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Credova Financial versions n/a through 2.5.0 **Description** The issue is a Cross-Site Request Forgery (CSRF) vulnerability, which allows Cross Site Request Forgery. **Recommendations** For versions n/a through 2.5.0, update to a version that includes a fix for this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** codepeople Appointment Booking Calendar versions 1.3.92 and earlier **Description** The issue is related to a Cross-Site Request Forgery (CSRF) vulnerability that also allows SQL Injection in the codepeople Appointment Booking Calendar. **Recommendations** For versions 1.3.92 and earlier, update to a version that contains a fix for this issue. As a temporary workaround, consider restricting access to sensitive `username` and `password` variables in the affected API endpoints until a patch is available. Restrict access to the vulnerable module to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Watu Quiz versions 3.4.3 and earlier **Description** The issue is related to an SQL Injection vulnerability due to improper neutralization of special elements used in an SQL command. This allows for SQL Injection attacks. **Recommendations** For versions 3.4.3 and earlier, update to a version that contains a fix for this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Bastien Ho Event post versions n/a through 5.9.11 **Description** The issue is related to Improper Neutralization of Input During Web Page Generation, also known as Cross-site Scripting, allowing DOM-Based XSS in the Event post. **Recommendations** For versions n/a through 5.9.11, update to a version later than 5.9.11 to resolve the issue. As a temporary workaround, consider restricting user input in the Event post to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Vitepos versions 3.1.7 and earlier **Description** The issue is related to an Authentication Bypass Using an Alternate Path or Channel, allowing Authentication Abuse. **Recommendations** For versions 3.1.7 and earlier, update to a version later than 3.1.7 to resolve the issue.