Broccoli

**Name of the Vulnerable Software and Affected Versions** TS Poll – Survey, Versus Poll, Image Poll, Video Poll plugin for WordPress versions up to, and including, 2.4.6 **Description** The issue concerns SQL Injection via the `s` parameter due to insufficient escaping on the user-supplied parameter and lack of sufficient preparation on the existing SQL query. This allows authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. **Recommendations** For versions up to, and including, 2.4.6, consider disabling access to the `s` parameter until a patch is available to prevent potential SQL Injection attacks. As a temporary workaround, restrict access to the plugin's SQL queries to minimize the risk of exploitation. Avoid using the `s` parameter in the affected plugin until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Church Management System version 1.0 **Description** The issue is related to a SQL injection vulnerability. This vulnerability can be exploited via the `id` parameter at the "/admin/edit event.php" API endpoint. **Recommendations** For Church Management System version 1.0, as a temporary workaround, consider restricting access to the "/admin/edit event.php" endpoint until a patch is available. Avoid using the `id` parameter in the affected endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Garage Management System version 1.0 **Description** The issue is related to a SQL injection vulnerability. This vulnerability can be exploited via the `id` parameter at the "/garage/editcategory.php" API endpoint. **Recommendations** For Garage Management System version 1.0, consider restricting access to the `/garage/editcategory.php` endpoint until a patch is available. As a temporary workaround, avoid using the `id` parameter in the affected API endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Garage Management System version 1.0 **Description** The issue is related to a SQL injection vulnerability. This vulnerability can be exploited via the `id` parameter at the "/garage/editclient.php" API endpoint. **Recommendations** For Garage Management System version 1.0, consider restricting access to the `/garage/editclient.php` endpoint until a patch is available. As a temporary workaround, avoid using the `id` parameter in the affected API endpoint to minimize the risk of exploitation.