Khanhchauminh

**Name of the Vulnerable Software and Affected Versions** pimcore/customer-management-framework-bundle versions prior to 3.3.9 **Description** The Customer Management Framework (CMF) for Pimcore has a business logic error in the `Conditions` tab, where the counter can be a negative number, leading to unlogic in the counter value. This issue is capable of causing business logic errors in the Conditions tab. **Recommendations** For versions prior to 3.3.9, update to version 3.3.9 to receive a patch. As a temporary workaround, apply the patch manually.

**Name of the Vulnerable Software and Affected Versions** ProjectWorlds Online Book Store PHP version 1.0 **Description** A CSRF issue in the admin delete.php file allows a remote attacker to delete any book. **Recommendations** For ProjectWorlds Online Book Store PHP version 1.0, consider implementing proper CSRF protection mechanisms, such as tokens, to prevent unauthorized actions. As a temporary workaround, restrict access to the admin delete.php file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Projectsworlds Online Shopping System PHP version 1.0 **Description** The issue concerns SQL injection via the `id` parameter in the "cart remove.php" file. This allows for potential manipulation of database queries. **Recommendations** For Projectsworlds Online Shopping System PHP version 1.0, consider restricting access to the "cart remove.php" file until a proper fix is applied, and ensure that user input for the `id` parameter is properly sanitized to prevent SQL injection attacks.

**Name of the Vulnerable Software and Affected Versions** ProjectWorlds Online Shopping System PHP version 1.0 **Description** A CSRF issue in the cart remove.php file allows a remote attacker to remove any product from a customer's cart. **Recommendations** For ProjectWorlds Online Shopping System PHP version 1.0, consider implementing proper CSRF protection mechanisms, such as token-based validation, to prevent unauthorized requests to the cart remove.php file. As a temporary workaround, restrict access to the cart remove.php file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Projectsworlds Online Book Store PHP version 1.0 **Description** The issue concerns SQL injection via the `bookisbn` parameter in the "cart.php" file. This allows for potential manipulation of database queries. **Recommendations** For Projectsworlds Online Book Store PHP version 1.0, consider validating and sanitizing user input for the `bookisbn` parameter in the "cart.php" file to prevent SQL injection attacks. As a temporary workaround, restrict access to the "cart.php" file until a proper fix is implemented.

Name of the Vulnerable Software and Affected Versions: Projectworlds Hospital Management System version 1.0 Description: The issue concerns SQL injection vulnerability via multiple parameters in the admin home.php file. Recommendations: For Projectworlds Hospital Management System version 1.0, consider restricting access to the admin home.php file until a patch is available. As a temporary workaround, avoid using the vulnerable parameters in the admin home.php file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Projectworlds Hospital Management System version 1.0 Description: The issue allows an authenticated malicious user to compromise the database system via SQL injection in multiple parameters in the `add patient.php` file. This can potentially lead to remote code execution on the remote web server. Recommendations: For Projectworlds Hospital Management System version 1.0, consider restricting access to the `add patient.php` file until a patch is available. As a temporary workaround, avoid using vulnerable parameters in the `add patient.php` file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Projectworlds Hospital Management System version 1.0 Description: The issue allows for SQL injection via the `appointment no` parameter in the "payment.php" endpoint. Recommendations: For Projectworlds Hospital Management System version 1.0, avoid using the `appointment no` parameter in the payment.php endpoint until the issue is resolved. Consider temporarily restricting access to the payment.php endpoint to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Projectworlds Hospital Management System version 1.0 Description: The issue concerns SQL injection via the `email` parameter in the `hms-staff.php` file. This allows for potential data manipulation or unauthorized access. Recommendations: For Projectworlds Hospital Management System version 1.0, consider restricting access to the `hms-staff.php` file or disabling the `email` parameter to minimize the risk of exploitation until a fix is available. Avoid using the `email` parameter in the affected file until the issue is resolved.