Eln1X

Name of the Vulnerable Software and Affected Versions: Perfex CRM version 1.9.7 Description: The issue in Perfex CRM allows for unrestricted file upload, which can lead to remote code execution. Recommendations: For Perfex CRM version 1.9.7, update to a newer version that contains a fix for this issue, as using the current version poses a significant risk due to the possibility of remote code execution. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: RISE Ultimate Project Manager version 1.9 Description: A SQL injection issue allows remote attackers to execute arbitrary SQL commands. This is achieved by exploiting the `search` parameter in the "index.php/knowledge base/get article suggestion/" API endpoint. Recommendations: For RISE Ultimate Project Manager version 1.9, consider restricting access to the "index.php/knowledge base/get article suggestion/" endpoint until a patch is available. As a temporary workaround, avoid using the `search` parameter in this endpoint to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Muviko version 1.1 Description: The issue allows remote attackers to execute arbitrary SQL commands. This can be achieved via several parameters, including the `email` parameter to "login.php", the `season id` parameter to "themes/flixer/ajax/load season.php", the `movie id` parameter to "themes/flixer/ajax/get rating.php", the `rating` or `movie id` parameter to "themes/flixer/ajax/update rating.php", or the `id` parameter to "themes/flixer/ajax/set player source.php". Recommendations: For Muviko version 1.1, consider disabling the affected API endpoints, specifically "login.php", "themes/flixer/ajax/load season.php", "themes/flixer/ajax/get rating.php", "themes/flixer/ajax/update rating.php", and "themes/flixer/ajax/set player source.php", until a patch is available. Additionally, restrict the use of the vulnerable parameters `email`, `season id`, `movie id`, `rating`, and `id` to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** PHP Melody version 2.7.1 **Description** The issue concerns a SQL Injection Time-based attack. This attack can be executed on the "ajax.php" page, specifically targeting the `playlist` parameter. **Recommendations** For PHP Melody version 2.7.1, consider restricting access to the "ajax.php" page or the `playlist` parameter to minimize the risk of exploitation until a patch is available.