Ethx0

**Name of the Vulnerable Software and Affected Versions** ProjectsAndPrograms School Management System versions prior to 6b6fae5426044f89c08d0dd101c7fa71f9042a59 **Description** An issue exists in the HTTP GET Parameter Handler component within the 'buslocation.php' file. Remote attackers can perform SQL injection, a technique where malicious SQL statements are inserted into entry fields for execution, by manipulating the `bus id` argument. **Recommendations** Update ProjectsAndPrograms School Management System to a version later than 6b6fae5426044f89c08d0dd101c7fa71f9042a59. As a temporary workaround, restrict access to the 'buslocation.php' file or avoid using the `bus id` parameter until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** Qibo CMS version 1.0 **Description** A flaw in the Internal Message Module allows for remote cross site scripting (XSS), a technique where malicious scripts are injected into trusted websites. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Qibo CMS version 1.0 **Description** An issue in the '/index/image/headers' file allows for server-side request forgery, a flaw where an attacker can induce the server-side application to make requests to an unintended location. This can be achieved remotely by manipulating the `starts` argument. **Recommendations** As a temporary workaround, avoid using the `starts` argument in the '/index/image/headers' endpoint until a fix is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

A flaw has been found in Qihui jtbc5 CMS 5.0.3.6. Affected is an unknown function of the file /dev/code/common/diplomat/manage.php of the component Code Endpoint. This manipulation of the argument path causes path traversal. The attack is possible to be carried out remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Name of the Vulnerable Software and Affected Versions givanz Vvvebjs versions up to 2.0.5 Description A weakness exists in givanz Vvvebjs up to version 2.0.5 related to the File Upload Endpoint, specifically within the `upload.php` file. Manipulation of the `uploadAllowExtensions` argument can lead to cross site scripting. Remote exploitation is possible. The exploit has been made publicly available. Recommendations Apply patch 8cac22cff99b8bc701c408aa8e887fa702755336.