Hyd3Sec

**Name of the Vulnerable Software and Affected Versions** GetSimple CMS Multi User plugin version 1.8.2 **Description** A Cross-Site Request Forgery (CSRF) issue allows remote attackers to add admin or other users after an authenticated admin visits a third-party site or clicks on a URL. This occurs because the plugin fails to properly validate requests, enabling attackers to perform unauthorized actions. **Recommendations** For GetSimple CMS Multi User plugin version 1.8.2, consider disabling the plugin until a patch is available to prevent exploitation of this issue. Restrict access to admin panels and ensure that all administrators are cautious when clicking on external links or visiting third-party sites to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** SourceCodester Daily Tracker System version 1.0 **Description** A Cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via the `fullname` parameter in the "user-profile.php" file. **Recommendations** For SourceCodester Daily Tracker System version 1.0, avoid using the `fullname` parameter in the vulnerable "user-profile.php" file until a fix is available. Consider validating and sanitizing user input to prevent arbitrary script injection.

**Name of the Vulnerable Software and Affected Versions** Project Worlds Car Rental Management System version 1.0 **Description** The issue allows attackers to upload arbitrary files, potentially leading to remote code execution. This is due to a flaw in the Vehicle Image Upload component. **Recommendations** For Project Worlds Car Rental Management System version 1.0, consider disabling the Vehicle Image Upload component until a patch is available to prevent exploitation. Restrict access to this component to minimize the risk of remote code execution. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Stock Management System version 1.0 **Description** A SQL injection issue in the login component allows a remote attacker to execute arbitrary SQL commands via the `username` parameter. **Recommendations** For Stock Management System version 1.0, avoid using the `username` parameter in the login component until the issue is resolved. Consider temporarily restricting access to the login functionality to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** BarracudaDrive version 6.5 **Description** The issue concerns insecure service file permissions in the bd service, allowing local attackers to escalate privileges to admin. This can be achieved by replacing the `%SYSTEMDRIVE%bdbd.exe` file. Upon the computer's next start, the new bd.exe will be executed with LocalSystem privileges. **Recommendations** For BarracudaDrive version 6.5, ensure proper file permissions are set for the bd service to prevent unauthorized access and modification of the `%SYSTEMDRIVE%bdbd.exe` file. As a temporary workaround, consider restricting write access to the `%SYSTEMDRIVE%bd` directory to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Sourcecodetester Daily Tracker System version 1.0 **Description** A SQL injection issue in the login functionality allows an unauthenticated user to bypass authentication using SQL injection via the `email` parameter. **Recommendations** For Sourcecodetester Daily Tracker System version 1.0, consider restricting access to the login functionality until a patch is available, and avoid using the `email` parameter in the affected API endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** GetSimple CMS version 3.3.16 **Description** A Reflected Cross-Site Scripting issue allows remote attackers to execute JavaScript code in the client's browser and potentially harvest login credentials after a client clicks a link, enters credentials, and submits the login form on the admin/index.php login portal webpage. **Recommendations** For GetSimple CMS version 3.3.16, update to a version that addresses this issue to prevent exploitation.

**Name of the Vulnerable Software and Affected Versions** SourceCodester Tailor Management System version 1.0 **Description** A Reflected Cross-Site Scripting (XSS) issue in the index.php login-portal webpage allows remote attackers to harvest keys pressed by an unauthenticated victim who clicks on a malicious URL and begins typing. **Recommendations** For SourceCodester Tailor Management System version 1.0, as a temporary workaround, consider disabling access to the index.php login-portal webpage until a patch is available. Restrict access to this webpage to minimize the risk of exploitation. Avoid using the login-portal webpage in the affected version until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Projects World House Rental version 1.0 **Description** The File Upload component in the software suffers from an arbitrary file upload issue, allowing remote attackers to conduct code execution. This affects regular users. **Recommendations** For version 1.0, restrict access to the File Upload component to prevent exploitation until a fix is available. Consider disabling the file upload functionality temporarily as a mitigation measure. At the moment, there is no information about a newer version that contains a fix for this vulnerability.