C4Ttr4Ck

**Name of the Vulnerable Software and Affected Versions** Sushmi-pal Invoice-System versions up to a0a3faa16dee2621b231ae227333f5761607283b **Description** Improper authorization exists in the Profile Workflow component within the '/profile' file. A remote attacker can manipulate the `ID` argument to bypass authorization controls. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Sushmi-pal Invoice-System versions up to a0a3faa16dee2621b231ae227333f5761607283b **Description** An improper authorization issue exists in the User Management Handler component within the '/user' file. A remote attacker can manipulate the `role` argument to bypass authorization controls. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SourceCodester Indian Invoicing System version 1.0 **Description** An issue exists in the Invoice Generation Handler component within the file '/Invoicing/IGST Invoice.php'. Remote attackers can perform SQL injection, a technique where malicious SQL statements are inserted into entry fields for execution, by manipulating the `customer name/category` argument. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SourceCodester Indian Invoicing System version 1.0 **Description** A cross-site scripting issue exists in the file '/Invoicing/category.php'. The problem occurs when the `msg` argument is manipulated, allowing a remote attacker to execute malicious scripts in the victim's browser. **Recommendations** Restrict access to the file '/Invoicing/category.php' or avoid using the `msg` parameter until a fix is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SourceCodester Simple POS and Inventory System version 1.0 **Description** A flaw in the File Extension Handler component of the '/admin/addproduct.php' endpoint allows unrestricted file upload. This occurs through the manipulation of the `image` argument, enabling remote exploitation. **Recommendations** Restrict access to the '/admin/addproduct.php' endpoint or disable the `image` upload functionality until a fix is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SourceCodester Simple POS and Inventory System version 1.0 **Description** A remote SQL injection can occur due to improper handling of the `ID` argument within an unknown function in the '/admin/edit customer.php' endpoint. SQL injection is a type of flaw that allows an attacker to interfere with the queries that an application makes to its database. **Recommendations** As a temporary workaround, restrict access to the '/admin/edit customer.php' file or avoid using the `ID` parameter in that endpoint until a fix is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SourceCodester Simple POS and Inventory System version 1.0 **Description** A remote SQL injection is possible due to improper manipulation of the `Name` argument within an unknown function in the '/user/search.php' endpoint. SQL injection is a type of flaw that allows an attacker to interfere with the queries that an application makes to its database. **Recommendations** Restrict access to the '/user/search.php' endpoint or avoid using the `Name` parameter until a fix is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SourceCodester Indian Invoicing System versions 0.x through 1.0 **Description** A security flaw exists in the Invoice Template Render Database-Backed component. The manipulation of the `customer name` argument in the '/Invoicing/add order.php' endpoint allows for remote cross-site scripting (XSS), which is a technique where malicious scripts are injected into trusted websites. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SourceCodester Indian Invoicing System version 1.0 **Description** An issue exists in the Backend Endpoint component where a manipulation of an unknown function can lead to improper access controls. This flaw allows for remote attacks across multiple endpoints. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SourceCodester Simple POS and Inventory System version 1.0 **Description** An issue exists in the GET Parameter Handler component where the `delete()` function within the '/admin/deleteproduct.php' endpoint is susceptible to SQL injection. This occurs through the manipulation of the `ID` argument, allowing a remote attack to be launched. **Recommendations** Restrict access to the '/admin/deleteproduct.php' endpoint or avoid using the `ID` parameter until a fix is applied.

**Name of the Vulnerable Software and Affected Versions** code-projects Invoice System in Laravel version 1.0 **Description** A weakness in the `/company` file allows for unrestricted file upload. This issue occurs when the `logo` argument is manipulated, enabling a remote attacker to upload files to the system. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** code-projects Invoice System in Laravel version 1.0 **Description** A remote cross-site request forgery (CSRF) issue exists in an unknown function. CSRF is a type of attack that tricks a victim into submitting a malicious request to a web application where they are currently authenticated. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** code-projects Invoice System in Laravel version 1.0 **Description** An improper authorization flaw exists within the User Management Handler component. Specifically, manipulating the `ID` parameter in the '/user' endpoint allows remote attackers to gain unauthorized access to user-management functionality. This is a direct access-control issue. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability. Avoid using the `ID` parameter in the '/user' endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** code-projects Chat System version 1.0 **Description** An issue exists in the MD5 Hash Handler component within the `update user.php` file. Manipulation of the `Password` argument leads to the use of a weak hash, which can be exploited remotely. This process involves a high level of complexity and is considered difficult to execute. **Recommendations** As a temporary workaround, restrict access to the `update user.php` file or the MD5 Hash Handler component to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** code-projects Invoice System in Laravel version 1.0 **Description** An improper authorization flaw exists in the Invoice Endpoint component within the '/invoice/' file. By manipulating the `ID` parameter, a remote attacker can bypass access controls to expose or alter invoice-related data. This is an Insecure Direct Object Reference (IDOR), which occurs when an application provides direct access to objects based on user-supplied input. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** code-projects Invoice System version 1.0 **Description** Improper authorization exists in the API Endpoint component within the `/item` file. A remote attacker can perform a manipulation to bypass authorization controls. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** code-projects Chat System version 1.0 **Description** Cross-site scripting can occur in the Chat Interface component via the '/admin/send message.php' endpoint. A remote attacker can exploit this by manipulating the `msg` argument. Cross-site scripting is a flaw that allows attackers to inject malicious scripts into web pages viewed by other users. **Recommendations** Avoid using the `msg` argument in the '/admin/send message.php' endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** code-projects Invoice System in Laravel version 1.0 **Description** An improper authorization issue exists in the Profile Handler component within the '/profile/' file. Remote attackers can manipulate the `ID` argument to bypass authorization controls. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** code-projects Invoice System version 1.0 **Description** A flaw in the `/item` file allows remote attackers to perform cross-site scripting (XSS)—a technique where malicious scripts are injected into trusted websites—by manipulating the `item name/description` argument. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** code-projects Train Ticket Reservation System version 1.0 **Description** A critical issue was found in the Login Form component, where the manipulation of the `username` argument leads to a stack-based buffer overflow. This issue requires local attacking to be exploited. **Recommendations** For code-projects Train Ticket Reservation System version 1.0, as a temporary workaround, consider restricting access to the Login Form component until a patch is available. Avoid using the `username` argument in the affected component to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.