Ischyr

**Name of the Vulnerable Software and Affected Versions** Karthikg1908 Hospital Management System (HMS) version 1.0 **Description** An SQL injection issue exists in the `user-login.php` and `index.php` files. The application does not properly sanitize input before using it in SQL queries. This allows remote attackers to execute arbitrary SQL queries through the `username` and `password` POST parameters. Successful exploitation could lead to unauthorized access, privilege escalation, account takeover, or exposure of sensitive medical data. **Recommendations** Update to a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** DevaslanPHP project-management version 1.2.4 **Description** A stored cross-site scripting (XSS) issue exists in DevaslanPHP project-management version 1.2.4. The vulnerability is located in the Ticket Name field, which does not properly sanitize user input. An authenticated attacker can inject malicious JavaScript payloads into this field. These payloads are stored in the database and executed in a user's browser context when the user logs in and is redirected to the Dashboard panel upon authentication. **Recommendations** Update DevaslanPHP project-management to a version that addresses this issue. As a temporary workaround, sanitize all user input for the Ticket Name field to prevent the injection of malicious scripts.