Ho Cherry

**Name of the Vulnerable Software and Affected Versions** Zhong Bang CRMEB versions up to 5.6.3 **Description** A security issue exists in Zhong Bang CRMEB. The flaw affects unknown code within the file `crmeb/app/api/controller/v1/CrontabController.php` of the `crontab` component. This results in missing authorization, allowing remote attacks. The exploit for this issue is publicly available. The vendor was notified but did not respond. The affected API endpoint is `/api/v1/CrontabController`. **Recommendations** Versions up to 5.6.3 should be updated to a newer, secure version if available. As a temporary workaround, consider restricting access to the `CrontabController.php` file or the `crontab` component to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Zhong Bang CRMEB versions prior to 5.6.4 **Description** A security issue exists in Zhong Bang CRMEB. Improper authorization can occur due to manipulation of the `order id` argument within the `detail/tidyOrder` function located in the `/api/store integral/order/detail/:uni` file. This issue can be exploited remotely. The exploit is publicly available. **Recommendations** Update to version 5.6.4 or later. As a temporary workaround, restrict access to the `/api/store integral/order/detail/:uni` endpoint.

**Name of the Vulnerable Software and Affected Versions** CRMEB versions prior to 5.6.4 **Description** A security flaw exists in CRMEB that allows improper authentication. This is due to manipulation of the `openId` argument within the `appleLogin` function located in the file crmeb/app/api/controller/v1/LoginController.php. The issue is exploitable remotely. The exploit has been publicly released. **Recommendations** Update CRMEB to version 5.6.4 or later. As a temporary workaround, restrict access to the `appleLogin` function within the crmeb/app/api/controller/v1/LoginController.php file.

**Name of the Vulnerable Software and Affected Versions** CRMEB versions prior to 5.6.3 **Description** A security issue exists in CRMEB related to improper authentication. This is due to manipulation of the `uid` argument within the `remoteRegister` function located in the file crmeb/app/services/user/LoginServices.php of the JSON Token Handler component. The attack can be performed remotely and requires a high level of complexity, but the exploit is publicly available. The vendor was contacted but did not respond. **Recommendations** Update CRMEB to a version later than 5.6.3. As a temporary workaround, restrict access to the `remoteRegister` function.

**Name of the Vulnerable Software and Affected Versions** code-projects Online Product Reservation System version 1.0 **Description** A flaw exists in code-projects Online Product Reservation System 1.0 that allows for cross site scripting. The issue is located in an unknown function within the `handgunner-administrator/prod.php` file. Manipulating the `cat` argument can trigger the flaw, and the attack can be carried out remotely. The exploit is publicly available. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** code-projects Online Product Reservation System version 1.0 **Description** A security flaw exists in code-projects Online Product Reservation System version 1.0. The issue is located in the file `app/user/login.php` within the User Login component. Manipulation of the `emailadd` argument can lead to SQL injection. This attack can be initiated remotely. The exploit has been publicly released. **Recommendations** Apply any available updates or patches for code-projects Online Product Reservation System version 1.0. As a temporary workaround, consider sanitizing the `emailadd` input to prevent SQL injection. Restrict access to the `app/user/login.php` file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** code-projects Online Product Reservation System version 1.0 **Description** A flaw exists in the processing of the `app/products/left cart.php` file. Manipulation of the `ID` argument can lead to SQL injection. Remote exploitation is possible. The exploit has been publicly released. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** code-projects Online Product Reservation System version 1.0 **Description** A security issue exists in code-projects Online Product Reservation System 1.0. The issue involves the manipulation of the `transaction id` argument within the GET Parameter Handler, specifically in the `/order view.php` file, leading to a SQL injection. The attack can be carried out remotely. The exploit has been publicly disclosed. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** code-projects Online Product Reservation System version 1.0 **Description** An issue exists in the Administration Backend component that allows for improper authentication. The issue is triggered by a manipulation of an unknown function. The exploit for this issue has been publicly released and could be used for remote attacks. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** code-projects Online Product Reservation System version 1.0 **Description** A flaw exists in the Online Product Reservation System that allows for remote manipulation. The issue stems from a SQL injection point within the POST Parameter Handler, specifically in the `/app/checkout/delete.php` file. The `ID` argument is susceptible to manipulation, leading to potential SQL injection. The exploit for this issue has been publicly disclosed. **Recommendations** Apply updates to address the vulnerability in the affected file `/app/checkout/delete.php`. Restrict or sanitize the `ID` parameter to prevent SQL injection attacks. As a temporary workaround, consider disabling the vulnerable function responsible for handling the `ID` parameter until a patch is available.

**Name of the Vulnerable Software and Affected Versions** code-projects Online Product Reservation System version 1.0 **Description** A flaw exists in code-projects Online Product Reservation System 1.0 that allows for SQL injection. The issue is located in an unknown function within the `/app/checkout/update.php` file of the Cart Update Handler component. Manipulation of the `id/qty` argument can trigger the injection. The attack can be launched remotely, and an exploit is publicly available. **Recommendations** Apply updates to the affected file `/app/checkout/update.php` to address the SQL injection issue.

**Name of the Vulnerable Software and Affected Versions** code-projects Online Product Reservation System version 1.0 **Description** A security flaw exists in the User Registration Handler component of code-projects Online Product Reservation System version 1.0. The issue involves a SQL injection that can be triggered remotely by manipulating the `fname`, `lname`, `address`, `city`, `province`, `country`, `zip`, `tel no`, `email`, or `username` arguments within the `/handgunner-administrator/register code.php` file. The exploit has been publicly released. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** code-projects Online Product Reservation System version 1.0 **Description** A flaw exists in code-projects Online Product Reservation System 1.0, specifically within the Parameter Handler component. Manipulation of the `cat/price/name/model/serial` argument in the file `/handgunner-administrator/prod.php` can lead to SQL injection. The attack can be initiated remotely. The exploit is publicly available. **Recommendations** Versions prior to 1.0 are affected. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** code-projects Online Product Reservation System version 1.0 **Description** A security issue exists in code-projects Online Product Reservation System 1.0. The issue affects an unknown function within the `/handgunner-administrator/adminlogin.php` file of the Administrator Login component. Manipulation of the `emailadd/pass` argument can lead to SQL injection. The attack can be performed remotely, and the exploit has been publicly disclosed. **Recommendations** code-projects Online Product Reservation System version 1.0: Address the SQL injection issue in the `/handgunner-administrator/adminlogin.php` file by sanitizing or validating the `emailadd/pass` argument.

**Name of the Vulnerable Software and Affected Versions** Online Product Reservation System version 1.0 **Description** A flaw exists in the POST Parameter Handler component of the software, specifically within the `/handgunner-administrator/edit.php` file. The `prod id`, `name`, `price`, `model`, and `serial` arguments are susceptible to SQL injection. This issue can be exploited remotely. The exploit has been publicly disclosed. **Recommendations** Apply any available updates to address the SQL injection issue in the POST Parameter Handler component. As a temporary workaround, restrict or carefully sanitize input to the `prod id`, `name`, `price`, `model`, and `serial` parameters within the `/handgunner-administrator/edit.php` file.

**Name of the Vulnerable Software and Affected Versions** code-projects Online Product Reservation System version 1.0 **Description** A flaw exists in an unknown functionality within the `/handgunner-administrator/delete.php` file. Manipulation of the `ID` parameter results in a SQL injection condition. This issue can be exploited remotely. The exploit is publicly available. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** code-projects Online Product Reservation System version 1.0 **Description** A flaw exists in code-projects Online Product Reservation System 1.0 that allows for unrestricted file upload via manipulation of an unknown functionality within the `/handgunner-administrator/prod.php` file. This issue can be exploited remotely. The exploit for this issue has been published. The vulnerable file is `/handgunner-administrator/prod.php`. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.