Bigtiger2020

**Name of the Vulnerable Software and Affected Versions** Employee Record Management System version 1.2 **Description** The issue concerns a Cross Site Scripting (XSS) vulnerability. It can be exploited via the `editempprofile.php` endpoint. **Recommendations** For Employee Record Management System version 1.2, consider restricting access to the `editempprofile.php` endpoint until a fix is available. As a temporary workaround, avoid using the `editempprofile.php` endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SEMCMS SHOP version 1.1 **Description** The issue affects the Ant Message.php file, allowing for SQL injection. **Recommendations** For SEMCMS SHOP version 1.1, consider restricting access to the Ant Message.php file until a patch is available. As a temporary workaround, avoid using parameters that could lead to SQL injection in the affected file.

**Name of the Vulnerable Software and Affected Versions** GeoDirectory Business Directory WordPress plugin versions prior to 2.1.1.3 **Description** The issue concerns Authenticated Stored Cross-Site Scripting (XSS). There is no information provided about the estimated number of potentially affected devices worldwide or details about real-world incidents where this issue was exploited. **Recommendations** For versions prior to 2.1.1.3, update to version 2.1.1.3 or later to resolve the issue.

Name of the Vulnerable Software and Affected Versions: SourceCodester Responsive Ordering System version 1.0 Description: The issue allows attackers to execute arbitrary code via the file upload to `Product model.php`. This can lead to arbitrary file upload, potentially resulting in code execution. Recommendations: For SourceCodester Responsive Ordering System version 1.0, consider restricting access to the file upload functionality in `Product model.php` to minimize the risk of exploitation. As a temporary workaround, disabling the file upload feature until a patch is available can help mitigate the issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: SourceCodester Ordering System version 1.0 Description: The issue allows attackers to execute arbitrary code via the file upload to "ordering/admin/products/edit.php". This is an arbitrary file upload vulnerability. Recommendations: For SourceCodester Ordering System version 1.0, consider disabling the file upload feature in the "ordering/admin/products/edit.php" page until a patch is available. Restrict access to the "edit.php" file to minimize the risk of exploitation. Avoid using the file upload functionality in the affected API endpoint until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: fastadmin version 1.0.0.20200506 beta Description: The issue is related to a cross-site scripting (XSS) vulnerability. This vulnerability may allow an attacker to obtain administrator credentials, enabling them to log in to the background. Recommendations: For fastadmin version 1.0.0.20200506 beta, as a temporary workaround, consider restricting access to sensitive areas of the application to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: 74cms version 5.0.1 Description: The issue is a remote code execution vulnerability located in /Application/Admin/Controller/ConfigController.class.php and /ThinkPHP/Common/functions.php. This allows attackers to obtain server permissions and control the server. Recommendations: For 74cms version 5.0.1, consider disabling access to the vulnerable files /Application/Admin/Controller/ConfigController.class.php and /ThinkPHP/Common/functions.php until a patch is available. Restrict access to these files to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** SourceCodester E-Commerce Website version 1.0 **Description** The issue allows remote attackers to execute arbitrary SQL statements via the `update` parameter to "empViewUpdate.php". This is related to the lack of protection for the SQL query structure, which can enable an attacker to conduct cross-site scripting attacks. **Recommendations** For version 1.0, consider disabling access to the "empViewUpdate.php" script until a patch is available, or restrict the use of the `update` parameter to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** SourceCodester E-Commerce Website version 1.0 **Description** The issue is related to a cross-site scripting (XSS) vulnerability. This vulnerability allows remote attackers to inject arbitrary web script or HTML via the `subject` field to "feedback process.php". The exploitation of this vulnerability can lead to remote attackers conducting cross-site scripting attacks. **Recommendations** For SourceCodester E-Commerce Website version 1.0, consider disabling the `feedback process.php` script until a patch is available to prevent exploitation. Restrict access to the `subject` field in the "feedback process.php" endpoint to minimize the risk of XSS attacks.

**Name of the Vulnerable Software and Affected Versions** 74CMS versions prior to 6.0.48 **Description** The issue concerns a PHP remote file inclusion in the `assign resume tpl` method within the `Application/Common/Controller/BaseController.class.php` file. This allows for remote code execution. **Recommendations** For versions prior to 6.0.48, update to version 6.0.48 or later to resolve the issue. As a temporary workaround, consider restricting access to the `assign resume tpl` method in `BaseController.class.php` to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Gym Management System (affected versions not specified) **Description** A SQL injection issue was found in the Gym Management System, specifically in the manage user.php file. The `id` parameter, which is passed via GET requests, is vulnerable to SQL injection attacks. This could potentially allow an attacker to execute malicious SQL code. **Recommendations** As a temporary workaround, consider restricting access to the manage user.php file until a patch is available. Avoid using the `id` parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Car Rental Management System version 1.0 **Description** An SQL injection issue was found in the Car Rental Management System. This can be exploited through the `id` parameter in "view car.php" or the `car id` parameter in "booking.php". **Recommendations** For Car Rental Management System version 1.0, consider restricting access to the "view car.php" and "booking.php" files until a patch is available. As a temporary workaround, avoid using the `id` and `car id` parameters in the affected API endpoints until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Point of Sales in PHP/PDO version 1.0 **Description** A SQL injection issue was found, which can be exploited through the `id` parameter in the "edit category.php" endpoint. This allows for potential manipulation of database queries. **Recommendations** For Point of Sales in PHP/PDO version 1.0, consider restricting access to the "edit category.php" endpoint until a patch is available, and avoid using the `id` parameter in this endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** UCMS version 1.5.0 **Description** A file upload issue exists, allowing an attacker to exploit it and gain server management permission. **Recommendations** For UCMS version 1.5.0, update to a version that fixes this issue to prevent exploitation.