Imad Alvi

**Name of the Vulnerable Software and Affected Versions** SourceCodester Inventory System version 1.0 **Description** Cross site scripting can be triggered remotely via the User Management Page component in the file '/users.php'. The issue occurs through the manipulation of the `fullname` or `username` arguments. **Recommendations** Update SourceCodester Inventory System to a version newer than 1.0. As a temporary workaround, restrict access to the '/users.php' file or the User Management Page to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** code-projects Vehicle Management System version 1.0 **Description** An unrestricted file upload issue exists within the New Driver Registration Form component in the file 'newdriver.php'. A remote attacker can achieve this by manipulating the `photo` argument, allowing the upload of unauthorized files. **Recommendations** Update code-projects Vehicle Management System to a version that resolves this issue. As a temporary workaround, restrict access to the 'newdriver.php' file or the New Driver Registration Form component.

**Name of the Vulnerable Software and Affected Versions** code-projects Smart Parking System version 1.0 **Description** A flaw in the Admin Endpoint component allows remote attackers to bypass authentication. This issue affects multiple endpoints within the system. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** code-projects Hotel and Tourism Reservation System version 1.0 **Description** A weakness in the GET Parameter Handler component within the `tour.php` file allows for remote SQL injection. This occurs when the `tour` argument is manipulated, enabling an attacker to interfere with the application's database queries. **Recommendations** As a temporary workaround, restrict access to the `tour` parameter in the `tour.php` file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

A security flaw has been discovered in code-projects Hotel and Tourism Reservation System 1.0. Impacted is an unknown function of the file /ht/tour.php. Performing a manipulation of the argument name /email /people /number results in cross site scripting. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks.

A vulnerability was identified in code-projects Hotel and Tourism Reservation System 1.0. This issue affects the function password verify of the file /admin/login.php of the component Admin Login. Such manipulation of the argument Password leads to improper authentication. It is possible to launch the attack remotely. The exploit is publicly available and might be used.

**Name of the Vulnerable Software and Affected Versions** Visitor Management System version 1.0 **Description** A SQL injection flaw exists in the `/vms/php/phone 0.php` endpoint. The issue is triggered by the manipulation of the `phone` argument, allowing a remote attacker to execute arbitrary SQL commands. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** code-projects Student Details Management System version 1.0 **Description** A remote SQL injection is possible via the manipulation of the `roll` argument in the '/index.php' endpoint. SQL injection is a type of vulnerability that allows an attacker to interfere with the queries that an application makes to its database. **Recommendations** Update code-projects Student Details Management System version 1.0 to a patched version. As a temporary workaround, restrict access to the '/index.php' endpoint or sanitize the `roll` argument to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** SourceCodester Pizzafy Ecommerce System version 1.0 **Description** A remote SQL injection exists in the GET Parameter Handler of the '/admin/view order.php' file. This issue occurs when the `ID` argument is manipulated, allowing an attacker to execute arbitrary SQL commands. **Recommendations** As a temporary workaround, avoid using the `ID` parameter in the '/admin/view order.php' endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SourceCodester Pizzafy Ecommerce System version 1.0 **Description** An unrestricted upload issue exists in the File Extension Handler component. A remote attacker can manipulate the `img` argument within the `save menu()` function of the '/admin/admin class novo.php' file to upload arbitrary files. **Recommendations** Restrict access to the `save menu()` function in the '/admin/admin class novo.php' file or validate the `img` parameter to prevent unrestricted file uploads.

**Name of the Vulnerable Software and Affected Versions** SourceCodester CET Automated Grading System with AI Predictive Analytics version 1.0 **Description** A cross-site scripting issue exists in the Registration component. A remote attacker can execute this by manipulating the `student id`, `full name`, `section`, or `username` arguments within the "/index.php?action=register" endpoint. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** code-projects Coaching Management System version 1.0 **Description** An issue exists in the POST Handler component within the file '/cims/modules/admin/reply.php'. Remote attackers can perform SQL injection, a technique where malicious SQL statements are inserted into entry fields for execution, by manipulating the `complaintreply` argument. **Recommendations** As a temporary workaround, restrict access to the file '/cims/modules/admin/reply.php' or avoid using the `complaintreply` argument until a fix is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** code-projects Coaching Management System version 1.0 **Description** An issue exists in the Complaint Form Page within the file '/cims/modules/student/complaint.php'. Remote attackers can initiate cross-site scripting (XSS)—a technique where malicious scripts are injected into trusted websites—by manipulating the `Complaint` argument. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** code-projects Home Service System version 1.0 **Description** A cross-site scripting (XSS) flaw exists in the Appointment Booking component within the '/booking.php' endpoint. Remote attackers can manipulate the `fname` and `lname` parameters to inject malicious scripts into appointment booking flows. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** CodeAstro Online Job Portal version 1.0 **Description** An issue in the '/users/user-cvs/' file allows remote attackers to access sensitive file and directory information. This information exposure can be used to obtain details about paths or files on the system. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** CodeAstro Online Job Portal version 1.0 **Description** A security flaw in the All Jobs Page component allows for remote SQL injection. This occurs through the manipulation of the `ID` argument within an unknown function of the '/admin/jobs-admins/delete-jobs.php' endpoint. SQL injection is a technique where an attacker inserts malicious SQL code into a query, potentially allowing them to manipulate the database. **Recommendations** As a temporary workaround, restrict access to the '/admin/jobs-admins/delete-jobs.php' endpoint or avoid using the `ID` argument in that file until a fix is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Simple Content Management System version 1.0 **Description** An issue exists in the login functionality within the file '/web/admin/login.php'. Manipulation of the `User` argument allows for SQL injection, which is a technique where malicious SQL statements are inserted into entry fields for execution, potentially allowing unauthorized access to the database. This attack can be performed remotely. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** CodeAstro Online Job Portal version 1.0 **Description** Improper access controls in the Delete Job Posting Handler component allow a remote attacker to manipulate the `ID` argument. This issue exists within an unknown function of the '/jobs/job-delete.php' file. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions code-projects Simple Content Management System version 1.0 Description A cross-site scripting issue exists in the file '/web/admin/welcome.php'. This occurs when the `News Title` argument is manipulated, allowing the attack to be executed remotely. Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Simple Content Management System version 1.0 **Description** An issue in the '/web/index.php' file allows for SQL injection, which is a technique where malicious SQL statements are inserted into entry fields for execution. This occurs through the manipulation of the `ID` argument, enabling remote exploitation. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.