M507

**Name of the Vulnerable Software and Affected Versions** RosarioSIS versions prior to 6.8-beta **Description** The issue is related to a problem with the href attributes for "AddStudents.php" and "User.php" in the NotifyParents.php file within the Custom module, allowing for XSS attacks. **Recommendations** For RosarioSIS versions prior to 6.8-beta, as a temporary workaround, consider restricting access to the NotifyParents.php file in the Custom module until a patch is available. Avoid using the href attributes for "AddStudents.php" and "User.php" in the NotifyParents.php file until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Admidio versions prior to 3.3.13 **Description** The issue is related to incorrect neutralization of special elements used in SQL commands, allowing for SQL injection. This can enable a remote attacker to gain unauthorized access to protected information using specially crafted SQL queries. The vulnerability impacts the confidentiality of the system. An attacker can send a GET request with arbitrary SQL queries appended to the `main cookie` parameter and execute SQL queries without logging in. **Recommendations** For versions prior to 3.3.13, update to version 3.3.13 to resolve the issue. As a temporary workaround, consider restricting access to the SQL query functionality to minimize the risk of exploitation. Avoid using the `main cookie` parameter in SQL queries until the issue is resolved.