Dilillearngent

**Name of the Vulnerable Software and Affected Versions** DedeCMS versions up to and including 5.7.110 **Description** The issue concerns multiple cross-site scripting (XSS) vulnerabilities. These vulnerabilities are located at the "/dede/vote add.php" API endpoint via the `votename` and `voteitem1` parameters. **Recommendations** For DedeCMS versions up to and including 5.7.110, as a temporary workaround, consider restricting access to the "/dede/vote add.php" endpoint or avoiding the use of the `votename` and `voteitem1` parameters until a fix is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** DedeCMS versions up to and including 5.7.110 **Description** The issue concerns multiple cross-site scripting (XSS) vulnerabilities. These vulnerabilities are located at the "/dede/vote edit.php" API endpoint via the `votename` and `votenote` parameters. **Recommendations** For DedeCMS versions up to and including 5.7.110, as a temporary workaround, consider restricting access to the "/dede/vote edit.php" endpoint or avoiding the use of the `votename` and `votenote` parameters until a fix is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** DedeCMS versions up to and including 5.7.110 **Description** A cross-site scripting (XSS) issue was found in DedeCMS. The issue is located at the "/dede/freelist add.php" API endpoint via the `title` parameter. **Recommendations** For DedeCMS versions up to and including 5.7.110, as a temporary workaround, consider restricting access to the "/dede/freelist add.php" endpoint or avoiding the use of the `title` parameter until a fix is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** DedeCMS versions up to and including 5.7.110 **Description** A cross-site scripting (XSS) issue was found in DedeCMS. The issue is located at the "/dede/freelist edit.php" API endpoint via the `title` parameter. **Recommendations** For DedeCMS versions up to and including 5.7.110, as a temporary workaround, consider restricting access to the "/dede/freelist edit.php" endpoint or avoiding the use of the `title` parameter until a fix is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Online Travel Agency System version 1.0 **Description** A Cross Site Scripting issue allows a remote attacker to execute arbitrary code via the `description` parameter in the "insert.php" endpoint. This enables the attacker to perform unauthorized actions on the system. **Recommendations** For Online Travel Agency System version 1.0, consider disabling the `description` parameter in the "insert.php" endpoint until a patch is available to prevent exploitation. Restrict access to the "insert.php" endpoint to minimize the risk of arbitrary code execution.

**Name of the Vulnerable Software and Affected Versions** Online Travel Agency System version 1.0 **Description** A SQL injection issue allows a remote attacker to execute arbitrary code via the `ticket id` parameter at the "ticket detail.php" endpoint. This enables the attacker to potentially access or manipulate sensitive data. **Recommendations** For Online Travel Agency System version 1.0, consider disabling the `ticket id` parameter in the "ticket detail.php" endpoint until a patch is available. Restrict access to the "ticket detail.php" endpoint to minimize the risk of exploitation. Avoid using the `ticket id` parameter in the affected endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Online Travel Agency System version 1.0 **Description** A SQL injection issue allows a remote attacker to execute arbitrary code via the `emp id` parameter at the "employee detail.php" endpoint. This enables the attacker to potentially access or manipulate sensitive data. **Recommendations** For Online Travel Agency System version 1.0, consider disabling the `emp id` parameter in the "employee detail.php" endpoint until a patch is available to prevent exploitation. Restrict access to the "employee detail.php" endpoint to minimize the risk of arbitrary code execution.

**Name of the Vulnerable Software and Affected Versions** Online Travel Agency System version 1.0 **Description** A SQL injection issue allows a remote attacker to execute arbitrary code via the `id` parameter at the "daily expenditure edit.php" endpoint. This enables the attacker to potentially access and manipulate sensitive data. **Recommendations** For Online Travel Agency System version 1.0, consider disabling access to the "daily expenditure edit.php" endpoint until a patch is available. Additionally, restrict the use of the `id` parameter to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Online Travel Agency System version 1.0 **Description** A remote attacker can execute arbitrary code via a crafted PHP file to the "artical.php" endpoint. This issue allows for the execution of arbitrary code, potentially leading to system compromise. **Recommendations** For Online Travel Agency System version 1.0, consider disabling the file upload feature to the "artical.php" endpoint until a patch is available. Restrict access to the "artical.php" endpoint to minimize the risk of exploitation. Avoid using the file upload feature in the affected endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Online Travel Agency System version 1.0 **Description** A SQL injection issue allows a remote attacker to execute arbitrary code via the `emp id` parameter at the "employee edit.php" endpoint. This enables the attacker to potentially access and manipulate sensitive data. **Recommendations** For Online Travel Agency System version 1.0, consider disabling access to the "employee edit.php" endpoint until a patch is available. As a temporary workaround, restrict the use of the `emp id` parameter in this endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Online Travel Agency System version 1.0 **Description** A SQL injection issue allows a remote attacker to execute arbitrary code via the `costomer id` parameter at the "customer edit.php" endpoint. This enables the attacker to manipulate database queries, potentially leading to unauthorized data access or modification. **Recommendations** For Online Travel Agency System version 1.0, consider disabling the `costomer id` parameter in the "customer edit.php" endpoint until a patch is available to prevent exploitation. Restrict access to the "customer edit.php" endpoint to minimize the risk of arbitrary code execution. Avoid using the `costomer id` parameter in the affected endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Online Travel Agency System version 1.0 **Description** A SQL injection issue allows a remote attacker to execute arbitrary code via the `page id` parameter at the "article edit.php" endpoint. This enables the attacker to potentially access and manipulate sensitive data. **Recommendations** For Online Travel Agency System version 1.0, consider disabling the `page id` parameter in the "article edit.php" endpoint until a patch is available. Restrict access to the "article edit.php" endpoint to minimize the risk of exploitation. Avoid using the `page id` parameter in the affected endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Online Travel Agency System version 1.0 **Description** A remote attacker can execute arbitrary code via a crafted PHP file to the "employee insert.php" endpoint. This allows for the potential execution of malicious code, posing a significant risk. The estimated number of potentially affected devices worldwide is not specified. There is no information about real-world incidents where this issue was exploited. **Recommendations** For Online Travel Agency System version 1.0, consider disabling the file upload functionality to the "employee insert.php" endpoint until a patch is available. Restrict access to this endpoint to minimize the risk of exploitation. Avoid using this endpoint with untrusted input until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.