M14R41

**Name of the Vulnerable Software and Affected Versions** Kashipara E-learning Management System version 1.0 **Description** A Stored Cross Site Scripting (XSS) issue was found in the /teacher avatar.php file. This allows remote attackers to execute arbitrary JavaScript via the `filename` parameter. **Recommendations** For Kashipara E-learning Management System version 1.0, consider disabling the /teacher avatar.php file or restricting access to it until a patch is available. Avoid using the `filename` parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Kashipara E-Learning Management System version 1.0 **Description** A Directory Listing issue was found in Kashipara E-Learning Management System, which allows remote attackers to access sensitive files and directories via the "/admin/uploads" API endpoint. This issue enables remote attackers to view important files and directories. **Recommendations** As a temporary workaround, consider restricting access to the "/admin/uploads" API endpoint until a patch is available. Avoid using the vulnerable version of the Kashipara E-Learning Management System until an update is released. Update to a newer version of the Kashipara E-Learning Management System that addresses the Directory Listing issue, if available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: kashipara E-learning Management System Project version 1.0 Description: A SQL Injection issue was found in the /admin/class.php file via the `class name` parameter. This allows for potential exploitation. Recommendations: For kashipara E-learning Management System Project version 1.0, consider restricting access to the /admin/class.php file until a patch is available. As a temporary workaround, avoid using the `class name` parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: KASHIPARA E-learning Management System Project version 1.0 Description: A Stored Cross-Site Scripting (XSS) issue was discovered in the /admin/department.php file. This allows remote attackers to execute arbitrary scripts via the `d` and `pi` parameters. Recommendations: For KASHIPARA E-learning Management System Project version 1.0, consider restricting access to the /admin/department.php file until a fix is available, and avoid using the `d` and `pi` parameters in this context to minimize the risk of exploitation.