Kamran Saifullah

**Name of the Vulnerable Software and Affected Versions** SourceCodester Onlne Examination & Learning Management System version 1.0 Syllabus-aligned Learning Management and Examination System version 1.0 **Description** A flaw exists in the `import users.php` file where manipulating the `raw password` argument with the input `CICT 2026` results in the use of a hard-coded password. This issue allows for remote attacks. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SourceCodester Barangay Resident Profiling and Information Management System version 1.0 **Description** A remote issue exists in the Password Reset Handler component within the `passsword reset.php` file. Manipulating the `new password` argument with the value `password123` results in the use of a hard-coded password. **Recommendations** Update SourceCodester Barangay Resident Profiling and Information Management System version 1.0 to a version that removes the hard-coded password logic. As a temporary workaround, restrict access to the `passsword reset.php` file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** SourceCodester Inventory System version 1.0 **Description** A weakness in the `header.php` file allows for remote cross-site scripting (XSS), a technique where malicious scripts are injected into trusted websites. This issue involves unknown functionality within the file and may affect multiple parameters. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SourceCodester Inventory System version 1.0 **Description** An improper authorization issue exists in the Account Creation Handler component within the file '/Product Inventory/api/users handler.php'. A remote attacker can manipulate the `ROLE` argument to bypass authorization controls. **Recommendations** Update SourceCodester Inventory System to a version newer than 1.0. As a temporary workaround, restrict access to the '/Product Inventory/api/users handler.php' endpoint or avoid using the `ROLE` parameter until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** opensourcepos Open Source Point of Sale versions prior to 3.4.3 **Description** A flaw in the Employee Login component allows for the use of a weak hash. The issue is located in the `Login()` function within the `app/Models/Employee.php` file. This vulnerability is characterized by high complexity and difficult exploitability. According to the vendor, the legacy code remains to support upgrade paths, where default passwords seeded with the old hash function are migrated to a newer one upon login, and any password change utilizes the current hash function. **Recommendations** Update to a version later than 3.4.2. As a temporary workaround, restrict access to the `Login()` function in the `app/Models/Employee.php` file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** opensourcepos Open Source Point of Sale versions prior to 3.4.3 **Description** A path traversal issue exists in the `getPicThumb()` function within the `app/Controllers/Items.php` file. This occurs due to the improper manipulation of the `pic filename` argument, which allows a remote attacker to access files and directories outside the intended folder. **Recommendations** Apply patch def0c27a0e252668df8d942fc31e16d1edfd7323 to remediate the issue. As a temporary workaround, restrict access to the `getPicThumb()` function until the patch is applied.

**Name of the Vulnerable Software and Affected Versions** SourceCodester Safety Anger Pad version 1.0 **Description** A remote cross-site scripting issue exists due to the manipulation of the `angerDisplay` argument within an unknown function. Cross-site scripting is a flaw that allows an attacker to inject malicious scripts into web pages viewed by other users. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SourceCodester API Key Manager App version 1.0 **Description** A flaw exists within the Import Key Handler component that allows for cross site scripting. This issue can be triggered remotely through manipulation of an unknown functionality. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SourceCodester Pet Grooming Management Software version 1.0 **Description** A flaw exists in SourceCodester Pet Grooming Management Software that allows for cross-site request forgery. This issue can be exploited remotely. The vulnerable code is currently unspecified. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** MantisBT versions prior to 2.21.2 **Description** The issue concerns a stored cross-site scripting (XSS) vulnerability in the Timeline feature of the my view page.php file. This vulnerability allows for the execution of arbitrary code, provided that the Content Security Policy (CSP) settings permit it, after an attachment with a crafted filename is uploaded. The code is executed whenever the My View Page is displayed, affecting any user who has visibility to the issue. **Recommendations** For versions prior to 2.21.2, update to version 2.21.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the Timeline feature in my view page.php until a patch is available. Avoid uploading attachments with potentially crafted filenames to minimize the risk of exploitation.