Cakes

**Name of the Vulnerable Software and Affected Versions** FileThingie version 2.5.7 **Description** The software contains an arbitrary file upload issue that allows attackers to upload malicious files. This is achieved by sending ZIP archives through the 'ft2.php' endpoint. Attackers can upload ZIP files containing PHP shells, utilize the unzip functionality to extract them into accessible directories, and then execute arbitrary commands through the extracted PHP files. The vulnerable parameter is the file uploaded to the 'ft2.php' endpoint. **Recommendations** Apply a fix for FileThingie version 2.5.7.

**Name of the Vulnerable Software and Affected Versions** delpino73 Blue-Smiley-Organizer version 1.32 **Description** The software contains an SQL injection issue in the `datetime` parameter. Unauthenticated attackers can manipulate database queries by injecting SQL code through POST requests. This allows attackers to extract sensitive data using boolean-based blind and time-based blind techniques, or write files to the server using INTO OUTFILE statements. **Recommendations** Apply a fix for version 1.32 to address the SQL injection issue in the `datetime` parameter.

**Name of the Vulnerable Software and Affected Versions** GOautodial version 4.0 **Description** GOautodial version 4.0 has a persistent cross-site scripting issue. Authenticated attackers can inject malicious scripts through the event title parameter. The issue is exploitable via crafted POST requests with XSS payloads sent to the `/CreateEvent.php` endpoint, allowing for the execution of arbitrary JavaScript in victim browsers. **Recommendations** Update to a newer version that contains a fix for this vulnerability. As a temporary workaround, sanitize the `event title` parameter before processing it in the `CreateEvent.php` endpoint.

**Name of the Vulnerable Software and Affected Versions** WorkgroupMail version 7.5.1 **Description** The software contains an unquoted service path vulnerability in its Windows service configuration. This allows local attackers to potentially execute arbitrary code. Exploitation involves leveraging the unquoted binary path to inject malicious executables that will be run with LocalSystem privileges during service startup. **Recommendations** Apply appropriate quoting to the service path configuration to prevent the execution of unauthorized code.

**Name of the Vulnerable Software and Affected Versions** Mikogo version 5.2.2.150317 **Description** The software contains an unquoted service path issue in the 'Mikogo-Service' Windows service configuration. This allows attackers to inject and execute malicious code with LocalSystem privileges by placing executable files in specific path locations. **Recommendations** Update to a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Zilab Remote Console Server version 3.2.9 **Description** The software contains an unquoted service path that could allow local attackers to execute arbitrary code with elevated system privileges. Exploitation involves leveraging the unquoted binary path within the service configuration to inject malicious executables, which are then executed with LocalSystem permissions. **Recommendations** Ensure the service path is enclosed in quotes to prevent the execution of unauthorized code.

**Name of the Vulnerable Software and Affected Versions** ActiveFax Server version 6.92 Build 0316 **Description** ActiveFax Server 6.92 Build 0316 contains an unquoted service path vulnerability in the `ActiveFaxServiceNT` service. This allows local attackers to potentially execute arbitrary code by exploiting the unquoted binary path to inject malicious executables. These executables can then be launched with elevated administrative privileges. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** TheJshen ContentManagementSystem version 1.04 **Description** An issue exists that allows attackers to manipulate database queries through the 'id' GET parameter. This can be achieved using boolean-based, time-based, and UNION-based SQL injection techniques to extract or manipulate database information by crafting malicious query payloads. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** html5 snmp version 1.11 **Description** The software contains a persistent cross-site scripting issue. An attacker can inject malicious scripts through the `Remark` parameter in the `add router operation.php` file. By crafting a POST request with a script payload in the `Remark` field, an attacker can execute arbitrary JavaScript in the browsers of those who view the page. The vulnerable parameter is `Remark`. The affected file is `add router operation.php`. **Recommendations** Apply a fix to the `add router operation.php` file to sanitize the `Remark` parameter and prevent the injection of malicious scripts.

**Name of the Vulnerable Software and Affected Versions** html5 snmp version 1.11 **Description** The software contains multiple SQL injection flaws that allow manipulation of database queries. Attackers can leverage the `Router ID` and `Router IP` parameters to exploit error-based, time-based, and union-based injection techniques. Successful exploitation could lead to the extraction or modification of database information through crafted payloads. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** RimbaLinux AhadPOS version 1.11 **Description** An issue exists where crafted POST requests can manipulate database queries via the `alamatCustomer` parameter. This allows for the use of time-based and boolean-based blind SQL injection techniques to extract information or interact with the underlying database. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Globitek CMS version 1.4 **Description** An issue exists where attackers can manipulate database queries through the 'id' GET parameter. This can be exploited using boolean-based, time-based, and UNION-based SQL injection techniques to potentially extract or modify database information. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Millhouse-Project version 1.414 **Description** A persistent cross-site scripting issue exists in the comment submission functionality. This allows attackers to inject malicious scripts by posting comments with embedded JavaScript through the 'add comment sql.php' endpoint using the `content` parameter, leading to the execution of arbitrary scripts in the browsers of users who view the comments. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.