Lcg22266

**Name of the Vulnerable Software and Affected Versions** codelyfe Stupid Simple CMS version 1.2.4 **Description** A vulnerability has been found in the Login Page component of the software, affecting the restriction of excessive authentication attempts. The attack can be initiated remotely, with a rather high complexity and difficult exploitation. The exploit has been disclosed to the public and may be used. The vendor was contacted about this disclosure but did not respond. **Recommendations** For codelyfe Stupid Simple CMS version 1.2.4, consider implementing additional security measures to restrict excessive authentication attempts, such as rate limiting or IP blocking, until a patch is available. As a temporary workaround, restrict access to the Login Page component to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** DedeCMS version 5.7 **Description** A vulnerability has been found in DedeCMS, affecting unknown code of the file /src/dede/mda main.php. The manipulation leads to cross-site request forgery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. **Recommendations** For DedeCMS version 5.7, as a temporary workaround, consider restricting access to the /src/dede/mda main.php file until a patch is available. Avoid using this file in remote operations to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** E-Commerce System version 1.0 **Description** A SQL injection issue was found in the E-Commerce System. The vulnerability can be exploited via the `id` parameter at the "/admin/delete user.php" API endpoint. **Recommendations** For E-Commerce System version 1.0, avoid using the `id` parameter in the "/admin/delete user.php" endpoint until a fix is available. As a temporary workaround, consider restricting access to the "/admin/delete user.php" endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** SourceCodester Electronic Medical Records System version 1.0 **Description** A critical issue has been found in the Cookie Handler component of the SourceCodester Electronic Medical Records System, specifically in the file administrator.php. The manipulation of the `userid` argument leads to SQL injection. This issue can be exploited remotely. **Recommendations** For SourceCodester Electronic Medical Records System version 1.0, consider restricting access to the administrator.php file and the Cookie Handler component to minimize the risk of exploitation. As a temporary workaround, avoid using the `userid` argument in the affected functionality until a patch is available. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** SourceCodester Simple Payroll System version 1.0 **Description** A vulnerability was found in the Simple Payroll System, affecting an unknown functionality of the file admin/?page=admin, specifically the POST Parameter Handler component. The manipulation of the `fullname` argument leads to cross-site scripting. This issue can be exploited remotely. **Recommendations** For SourceCodester Simple Payroll System version 1.0, consider restricting access to the admin/?page=admin file until a fix is available. As a temporary workaround, avoid using the `fullname` argument in the affected POST Parameter Handler component to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Online Tours & Travels Management System version 1.0 **Description** The issue concerns an arbitrary file upload vulnerability. This vulnerability can be exploited via the /tour/admin/file.php API endpoint. **Recommendations** For Online Tours & Travels Management System version 1.0, consider restricting access to the /tour/admin/file.php endpoint until a patch is available. As a temporary workaround, disabling the file upload functionality in this endpoint can help minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Catfish CMS version 4.9.90 Description: A cross site scripting (XSS) issue allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the `announcement gonggao` parameter. Recommendations: For Catfish CMS version 4.9.90, avoid using the `announcement gonggao` parameter until the issue is resolved. As a temporary workaround, consider restricting access to the affected module to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.