Gus Ralph

**Name of the Vulnerable Software and Affected Versions** Online-Exam-System version 2015 **Description** The software contains a time-based blind SQL injection issue in the feedback form. This allows attackers to extract database password hashes. The issue is exploitable through the 'feed.php' endpoint by crafting malicious requests that leverage time delays to determine user password characters. The vulnerable parameter is not explicitly specified, but the attack involves manipulating requests to the 'feed.php' endpoint. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Navigate CMS version 2.8.7 **Description** Navigate CMS 2.8.7 contains an authenticated SQL injection issue that allows attackers to obtain database information by manipulating the `sidx` parameter within comments. Attackers can exploit this to extract user activation keys using time-based blind SQL injection techniques, potentially allowing for password resets of administrative accounts. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Navigate CMS version 2.8.7 **Description** Navigate CMS 2.8.7 is susceptible to a cross-site request forgery condition. This allows attackers to upload malicious extensions through a specially crafted HTML page. An attacker can deceive authenticated administrators into performing arbitrary file uploads by exploiting the extension upload functionality, which lacks sufficient validation. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.