Furkan Gedik

**Name of the Vulnerable Software and Affected Versions** Online Shopping System Advanced version 1.0 **Description** The software contains a SQL injection flaw in the `payment success.php` script. This allows attackers to inject malicious SQL code through the unfiltered `cm` parameter. Exploitation involves sending crafted SQL queries to obtain sensitive database information by manipulating the user ID parameter. **Recommendations** Apply filters to the `cm` parameter in the `payment success.php` script to prevent SQL injection.

**Name of the Vulnerable Software and Affected Versions** SPA-CART CMS version 1.9.0.3 **Description** The software contains a stored cross-site scripting issue in the product description parameter. Authenticated administrators can inject malicious scripts. Attackers can submit JavaScript payloads through the `descr` parameter in the product edit form, leading to arbitrary code execution in administrative users' browsers. **Recommendations** Administrators should sanitize the `descr` parameter in the product edit form to prevent script injection.

**Name of the Vulnerable Software and Affected Versions** WP JobSearch WordPress plugin versions prior to 2.3.4 **Description** The issue allows unauthenticated attackers to upload arbitrary files, such as PHP files, to the server due to a lack of file validation for uploads. This could potentially lead to malicious code execution on the server. **Recommendations** For WP JobSearch WordPress plugin versions prior to 2.3.4, update to version 2.3.4 or later to resolve the issue. As a temporary workaround, consider disabling file upload functionality until a patch is applied. Restrict access to the upload feature to minimize the risk of exploitation. Avoid using the plugin's upload feature until the issue is resolved.