Juan Soberanes

**Name of the Vulnerable Software and Affected Versions** Tirreno version 0.9.5 **Description** A SQL Injection issue exists in Tirreno version 0.9.5. The vulnerability is located in the `/admin/loadUsers` API endpoint, stemming from the unsafe handling of user-supplied input within the `columns[0][data]` parameter. This parameter is directly incorporated into SQL queries without adequate validation or parameterization. **Recommendations** Update to a newer version that contains a fix for this issue. As a temporary workaround, restrict access to the `/admin/loadUsers` API endpoint.

**Name of the Vulnerable Software and Affected Versions** Asian Arts Talents Foundation (AATF) Website versions 5.1.x Asian Arts Talents Foundation (AATF) Docker version 2024.12.8.1 **Description** The Asian Arts Talents Foundation (AATF) Website and Docker image are susceptible to a Cross Site Scripting (XSS) issue. The `/ip.php` API endpoint processes the X-Forwarded-For HTTP header without sufficient sanitization or output encoding, enabling the injection of malicious JavaScript code into visitor browsers. **Recommendations** Asian Arts Talents Foundation (AATF) Website version 5.1.x: Sanitize and properly encode all user-supplied input, especially data received in HTTP headers, before displaying it in web pages. Asian Arts Talents Foundation (AATF) Docker version 2024.12.8.1: Sanitize and properly encode all user-supplied input, especially data received in HTTP headers, before displaying it in web pages.