Khanmarshal

**Name of the Vulnerable Software and Affected Versions** OpenCart versions prior to 4.1.0.4 **Description** A security issue exists in OpenCart related to the Single-Use Coupon Handler component. Manipulation of this component can lead to a race condition. The issue can be exploited remotely and is considered difficult to exploit. The exploit has been publicly released. The vendor was notified but did not respond. **Recommendations** Update OpenCart to version 4.1.0.4 or later.

**Name of the Vulnerable Software and Affected Versions** LearnHouse (affected versions not specified) **Description** A flaw exists in LearnHouse related to the Image Handler component, leading to information disclosure. This issue can be exploited remotely. The exploit is publicly available. The vendor was informed of this issue but did not provide a response. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** LearnHouse versions prior to 98dfad76aad70711a8113f6c1fdabfccf10509ca **Description** A cross site scripting issue exists in LearnHouse. The issue is located in the Account Setting Page component, specifically within the file '/dash/org/settings/previews', involving an unknown function. The attack can be launched remotely. The exploit has been publicly released. The vendor was notified but did not respond. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** LearnHouse (affected versions not specified) **Description** A flaw exists that results in improper control of resource identifiers. This issue is located within the Student Assignment Submission Handler component, specifically affecting an unknown function within the `/api/v1/assignments/{assignment id}/tasks/{task id}/sub file` file. The attack can be initiated remotely. The exploit for this issue has been publicly disclosed. The product utilizes continuous delivery with rolling releases, and no specific version details for affected or updated releases are available. The vendor was contacted regarding this disclosure but did not respond. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** LearnHouse versions prior to 98dfad76aad70711a8113f6c1fdabfccf10509ca **Description** A flaw exists in LearnHouse that allows for unrestricted file upload. The issue is located within the Course Thumbnail Handler component, specifically affecting an unknown function associated with the `/api/v1/courses/` endpoint. The `thumbnail` parameter is susceptible to manipulation, enabling remote attackers to upload files without restrictions. The exploit details have been publicly disclosed. **Recommendations** Versions prior to 98dfad76aad70711a8113f6c1fdabfccf10509ca should be updated. As a temporary workaround, restrict access to the `/api/v1/courses/` endpoint. Avoid using the `thumbnail` parameter until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** givanz Vvveb versions up to 1.0.7.2 **Description** A security flaw exists in the Image Handler component of givanz Vvveb. Manipulation of this component can lead to information disclosure. Remote exploitation is possible, and the exploit has been publicly released. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** givanz Vvveb versions up to 1.0.7.2 **Description** A flaw exists within the Configuration File Handler component that can lead to information disclosure. The issue is potentially exploitable remotely. The exploit has been publicly disclosed. **Recommendations** Update to a version beyond 1.0.7.2.

**Name of the Vulnerable Software and Affected Versions** givanz Vvveb versions up to 1.0.7.2 **Description** A cross-site scripting issue exists in the SVG File Handler component. This manipulation can be launched remotely. The exploit is publicly available. **Recommendations** Update to a version beyond 1.0.7.2.

**Name of the Vulnerable Software and Affected Versions** givanz Vvveb versions through 1.0.7.2 **Description** A weakness exists in givanz Vvveb that could allow for cross-site request forgery. The vulnerability affects unknown code and can be exploited remotely. The exploit has been publicly released. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** academico-sis versions prior to d9a9e2636fbf7e5845ee086bcb03ca62faceb6ab **Description** A vulnerability exists in academico-sis related to the Profile Picture Handler component. The issue involves unrestricted upload via the `/edit-photo` file. This manipulation is possible to be carried out remotely. The exploit has been publicly disclosed. The product adopts a rolling release strategy to maintain continuous delivery. **Recommendations** Update academico-sis to version d9a9e2636fbf7e5845ee086bcb03ca62faceb6ab or later.

**Name of the Vulnerable Software and Affected Versions** Selleo Mentingo version 2025.08.27 **Description** A vulnerability exists in Selleo Mentingo 2025.08.27 within the Content-Type Handler component. Manipulation of the `userAvatar` argument results in unrestricted upload, and the attack can be performed remotely. The exploit is publicly available. The vendor was contacted regarding this disclosure but did not respond. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Selleo Mentingo versions prior to 2025.08.28 **Description** A security issue has been identified in Selleo Mentingo. The vulnerability resides in an unknown function within the Profile Picture Handler component. Manipulation of the `userAvatar` argument allows for unrestricted file upload, and the attack can be performed remotely. The exploit has been publicly disclosed, and the vendor was notified but did not respond. **Recommendations** Versions prior to 2025.08.28: Restrict or disable the use of the Profile Picture Handler component until a resolution is available. Avoid uploading files through the `userAvatar` argument.

**Name of the Vulnerable Software and Affected Versions** Selleo Mentingo version 2025.08.27 **Description** A cross-site scripting issue exists due to manipulation of the `Description` argument in the processing of the `/api/course/enroll-course` endpoint within the Create New Course Basic Settings component. The attack can be launched remotely. **Recommendations** As a temporary workaround, consider restricting access to the `/api/course/enroll-course` endpoint until a fix is available. Sanitize the `Description` argument to prevent the injection of malicious scripts.