Cw.Wong

**Name of the Vulnerable Software and Affected Versions** Tosei Online Store Management System version 1.01 **Description** A security flaw exists in the function system of the `/cgi-bin/monitor.php` file within the HTTP POST Request Handler component. Manipulation of the `DevId` argument results in operating system command injection. The attack can be initiated remotely. An exploit has been released and may be used for attacks. The vendor was contacted regarding this disclosure but did not respond. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Vaelsys version 4.1.0 **Description** A flaw exists in Vaelsys 4.1.0 related to the HTTP POST Request Handler component. Specifically, manipulation of the `xajaxargs` argument within a request to the file '/tree/tree server.php' can lead to operating system command injection. This issue is exploitable remotely. The exploit has been published. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: SourceCodester Online Bank Management System version 1.0 Description: A weakness has been identified that allows for SQL injection. The issue impacts an unknown function within the `/bank/show.php` file. Manipulation of the `ID` argument can lead to successful exploitation. The attack can be performed remotely, and an exploit has been made publicly available. Recommendations: SourceCodester Online Bank Management System version 1.0: As a temporary workaround, consider restricting access to the `/bank/show.php` file until a patch is available.

Name of the Vulnerable Software and Affected Versions: SourceCodester Online Bank Management System version 1.0 Description: A security vulnerability has been detected. The affected element is an unknown function of the file `/bank/mnotice.php`. Manipulation of the `ID` argument leads to SQL injection. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Campcodes Online Recruitment Management System version 1.0 **Description** A vulnerability exists in Campcodes Online Recruitment Management System that may allow for remote manipulation. The issue is related to a SQL injection affecting an unknown functionality within the `/admin/ajax.php?action=delete recruitment status` endpoint. The `ID` parameter is susceptible to exploitation. The exploit has been publicly disclosed. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Campcodes Online Recruitment Management System version 1.0 **Description** A critical vulnerability exists in Campcodes Online Recruitment Management System. The vulnerability is due to SQL injection, stemming from manipulation of the `ID` argument in the `/admin/ajax.php?action=save user` API endpoint. This allows for remote exploitation. The exploit has been publicly disclosed. **Recommendations** As a temporary workaround, restrict access to the `/admin/ajax.php?action=save user` API endpoint until a fix is available. Sanitize the `ID` parameter before using it in any database queries.