Gwen001

**Name of the Vulnerable Software and Affected Versions** Zenphoto versions prior to 1.5.7 **Description** A cross-site scripting issue allows remote attackers to inject arbitrary JavaScript via unspecified vectors. **Recommendations** For versions prior to 1.5.7, update to version 1.5.7 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Zenphoto versions prior to 1.5.7 **Description** The issue allows an attacker to conduct PHP code injection attacks by leading a user to upload a specially crafted .zip file. **Recommendations** For versions prior to 1.5.7, update to version 1.5.7 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Simplejobscript.com SJS versions 1.66 and earlier **Description** An issue was discovered in the job applications search function, allowing for unauthenticated SQL injection. The `job id` parameter is vulnerable, and the issue is related to the `getJobApplicationsByJobId()` function in the ` lib/class.JobApplication.php` file. **Recommendations** For versions 1.66 and earlier, consider restricting access to the `getJobApplicationsByJobId()` function until a patch is available. Avoid using the `job id` parameter in the affected search function to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Simplejobscript.com SJS versions 1.66 and earlier **Description** The issue allows for unauthenticated Remote Code Execution by uploading a PHP script as a resume, specifically affecting the `controllers/page apply.php` file. **Recommendations** For versions 1.66 and earlier, consider disabling the resume upload feature in the `controllers/page apply.php` file until a patch is available. Restrict access to this file to minimize the risk of exploitation. Avoid using this feature until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Simplejobscript.com SJS versions prior to 1.65 **Description** An issue was discovered in Simplejobscript.com SJS. There is unauthenticated SQL injection via the search engine, specifically through the `landing location` parameter in the `countSearchedJobs()` function, located in the ` lib/class.Job.php` file. **Recommendations** For versions prior to 1.65, update to version 1.65 or later to resolve the issue. As a temporary workaround, consider restricting access to the search engine or disabling the `countSearchedJobs()` function until a patch is available. Avoid using the `landing location` parameter in the affected search engine endpoint until the issue is resolved.