Kamil Dąbkowski

**Name of the Vulnerable Software and Affected Versions** Streamsoft Prestiż versions prior to 20.0.380.92 **Description** The software uses a custom token encoding algorithm that allows an attacker to guess the value of the KSeF (Krajowy System e-Faktur) token by analyzing how tokens with known values are encoded. The KSeF is a national system for electronic invoicing. **Recommendations** Update Streamsoft Prestiż to version 20.0.380.92 or later.

**Name of the Vulnerable Software and Affected Versions** SIMPLE.ERP versions prior to 6.30@A04.4 u06 **Description** SIMPLE.ERP is susceptible to a SQL Injection issue within the search functionality of the "Obroty na kontach" window. Insufficient input validation permits an authenticated attacker to construct a malicious database query, leading to its execution. The vulnerable functionality lacks proper sanitization of user-supplied input, allowing for the injection of arbitrary SQL code. The `search` function is affected. The vulnerable parameter is not specified. **Recommendations** Update to version 6.30@A04.4 u06 or later.

**Name of the Vulnerable Software and Affected Versions** SIMPLE.ERP versions prior to 6.30@a04.3 **Description** A SQL injection issue exists in the warehouse document filtering form of SIMPLE.ERP software. A logged-in user can submit a payload of up to 20 characters. A confirmed use case allows for the deletion of tables with names up to 6 characters in length. Data exfiltration within the query character limit was not possible. **Recommendations** Update SIMPLE.ERP to version 6.30@a04.3 or later.

**Name of the Vulnerable Software and Affected Versions** Streamsoft Prestiż versions prior to 18.1.376.37 **Description** The issue is related to improper sanitization of input from multiple fields in Streamsoft Prestiż, leading to an SQL injection vulnerability. This vulnerability might be exploited by an authenticated remote attacker. **Recommendations** For versions prior to 18.1.376.37, update to version 18.1.376.37 or later to resolve the issue. As a temporary workaround, consider restricting access to sensitive data and implementing additional security measures to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Streamsoft Prestiż versions prior to 18.2.377 **Description** The issue concerns the use of a custom password encoding algorithm in the software, which allows for straightforward decoding of passwords using their encoded forms stored in the application's database. An attacker would need to know the encoding algorithm, but it can be deduced by observing how passwords are transformed. **Recommendations** For versions prior to 18.2.377, update to version 18.2.377 or later to resolve the issue. As a temporary workaround, consider restricting access to the database where encoded passwords are stored to minimize the risk of exploitation.