Cheng Ying Hsieh

**Name of the Vulnerable Software and Affected Versions** Easytest Online Test Platform versions prior to ver.24E01 **Description** The issue allows remote attackers to execute arbitrary SQL commands via the `uid` parameter in the download student learning course function. This enables attackers to manipulate the database, potentially leading to unauthorized data access or modification. **Recommendations** For versions prior to ver.24E01, as a temporary workaround, consider restricting access to the download student learning course function until a patch is available. Avoid using the `uid` parameter in the affected function to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Easytest Online Test Platform versions 24E01 and earlier **Description** The issue allows remote attackers to execute arbitrary SQL commands via the `cstr` parameter in the download class learning course function. This enables attackers to potentially access or manipulate sensitive data. **Recommendations** For versions 24E01 and earlier, consider restricting access to the download class learning course function until a patch is available. As a temporary workaround, avoid using the `cstr` parameter in the affected function to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Easytest Online Test Platform versions 24E01 and earlier **Description** The issue allows remote authenticated users to execute arbitrary SQL commands via the `uid` parameter in the download personal learning course function. This enables attackers to manipulate the database, potentially leading to unauthorized data access or modification. **Recommendations** For Easytest Online Test Platform versions 24E01 and earlier, consider restricting access to the download personal learning course function until a patch is available. As a temporary workaround, avoid using the `uid` parameter in the affected function to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Easytest Online Test Platform versions 24E01 and earlier **Description** The issue allows remote authenticated users to execute arbitrary SQL commands via the `search` parameter in the search course titles function. This enables attackers to run malicious SQL commands, potentially leading to data breaches or other security incidents. **Recommendations** For versions 24E01 and earlier, consider disabling the search function temporarily until a patch is available. Restrict access to the search parameter to minimize the risk of exploitation. Avoid using the `search` parameter in the affected function until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Easytest Online Test Platform versions 24E01 and earlier **Description** The issue allows remote authenticated users to execute arbitrary SQL commands via the `qlevel` parameter in the mock exam function. This enables attackers to manipulate database queries, potentially leading to unauthorized data access or modification. **Recommendations** For versions 24E01 and earlier, consider restricting access to the mock exam function until a patch is available. As a temporary workaround, avoid using the `qlevel` parameter in the affected function to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Easytest Online Test Platform versions 24E01 and earlier **Description** The issue allows remote authenticated users to execute arbitrary SQL commands via the `word` parameter in the online dictionary function. This can potentially lead to unauthorized access and manipulation of data. The estimated number of potentially affected devices worldwide is not specified. There is no information provided about real-world incidents where this issue was exploited. **Recommendations** For versions 24E01 and earlier, consider restricting access to the online dictionary function until a patch is available. As a temporary workaround, avoid using the `word` parameter in the affected function to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.