Louay Khammassi

Name of the Vulnerable Software and Affected Versions: lahirudanushka School Management System versions 1.0.0 through 1.0.1 Description: A critical issue was found in the Exam Results Page component, specifically in the file examresults-par.php. The manipulation of the `sid` argument leads to SQL injection. This issue can be exploited remotely. Recommendations: For lahirudanushka School Management System versions 1.0.0 through 1.0.1, consider restricting access to the Exam Results Page or the examresults-par.php file to minimize the risk of exploitation. As a temporary workaround, avoid using the `sid` argument in the affected component until a patch is available. At the moment, there is no information about a newer version that contains a fix for this issue.

Name of the Vulnerable Software and Affected Versions: lahirudanushka School Management System versions 1.0.0 through 1.0.1 Description: A critical issue has been found in the Teacher Page component, specifically in the file teacher.php. The manipulation of the `update` argument leads to sql injection. This issue can be exploited remotely. Recommendations: For lahirudanushka School Management System versions 1.0.0 through 1.0.1, consider disabling the `update` argument in the teacher.php file as a temporary workaround until a patch is available. Restrict access to the Teacher Page component to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

Name of the Vulnerable Software and Affected Versions: lahirudanushka School Management System versions 1.0.0 through 1.0.1 Description: A critical issue was found in the Student Page component of the lahirudanushka School Management System, specifically in the file student.php. The manipulation of the `update` argument leads to SQL injection. This issue can be exploited remotely. Recommendations: For lahirudanushka School Management System versions 1.0.0 through 1.0.1, as a temporary workaround, consider restricting access to the student.php file until a patch is available. Avoid using the `update` argument in the affected component to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

Name of the Vulnerable Software and Affected Versions: lahirudanushka School Management System versions 1.0.0 through 1.0.1 Description: A critical issue has been found in the lahirudanushka School Management System, affecting an unknown functionality of the file subject.php of the component Subject Page. The manipulation of the `update` argument leads to SQL injection. The attack can be launched remotely. Recommendations: For lahirudanushka School Management System versions 1.0.0 through 1.0.1, consider restricting access to the subject.php file of the Subject Page component to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: lahirudanushka School Management System versions 1.0.0 through 1.0.1 Description: A critical issue has been found in the Attendance Report Page component, specifically affecting the /attendancelist.php file. The manipulation of the `aid` argument leads to SQL injection, allowing for remote attacks. The exploit has been publicly disclosed. Recommendations: For lahirudanushka School Management System versions 1.0.0 through 1.0.1, consider restricting access to the /attendancelist.php file until a patch is available. As a temporary workaround, avoid using the `aid` argument in the affected Attendance Report Page to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

Name of the Vulnerable Software and Affected Versions: lahirudanushka School Management System versions 1.0.0 through 1.0.1 Description: A critical issue was found in the lahirudanushka School Management System, affecting the Parent Page component, specifically the file parent.php. The manipulation of the `update` argument leads to SQL injection. This issue can be exploited remotely. Recommendations: For lahirudanushka School Management System versions 1.0.0 through 1.0.1, consider restricting access to the Parent Page component until a fix is available. As a temporary workaround, avoid using the `update` argument in the affected parent.php file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

Name of the Vulnerable Software and Affected Versions: lahirudanushka School Management System versions 1.0.0 through 1.0.1 Description: A critical issue has been found in the lahirudanushka School Management System, affecting some unknown functionality of the file login.php of the component Login Page. The manipulation of the `email` argument leads to SQL injection. The attack may be launched remotely. Recommendations: For versions 1.0.0 through 1.0.1, consider disabling the `login.php` file or restricting access to the Login Page until a patch is available. Avoid using the `email` argument in the affected login functionality to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

Name of the Vulnerable Software and Affected Versions: nasirkhan Laravel Starter versions up to 11.8.0 Description: A vulnerability was found in the Password Reset Handler component, specifically affecting some unknown functionality of the file /forgot-password. The manipulation of the `Email` argument leads to observable response discrepancy. The attack can be launched remotely, with a rather high complexity and difficult exploitation. The exploit has been disclosed to the public and may be used. Recommendations: For nasirkhan Laravel Starter versions up to 11.8.0, consider disabling the Password Reset Handler component or restricting access to the /forgot-password file until a patch is available. As a temporary workaround, avoid using the `Email` argument in the affected component to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** francoisjacquet RosarioSIS version 11.5.1 **Description** A disputed issue affects the Add Portal Note component, leading to cross-site scripting. The attack can be initiated remotely. The vendor notes that the PDF is opened by the browser app in a sandbox, which should prevent website data from being accessible. **Recommendations** For version 11.5.1, consider disabling the Add Portal Note component until the issue is resolved, and verify the effectiveness of sandbox isolation to minimize potential risks.