Michael Blunt

**Name of the Vulnerable Software and Affected Versions** Cisco Nexus Dashboard Fabric Controller (NDFC) versions (affected versions not specified) **Description** The issue is related to a lack of authorization in the implementation of the Cisco NDFC platform's application programming interface. This could allow a remote attacker with low privileges to impact the integrity of protected information. The vulnerability exists due to missing authorization controls on some REST API endpoints, which could be exploited by sending crafted API requests to an affected endpoint. A successful exploit could allow the attacker to perform limited network-admin functions, such as reading device configuration information, uploading files, and modifying uploaded files. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Yocto Project versions prior to 5.0 Yocto Project versions 3.1.x through 3.1.30 Yocto Project versions 4.0.x through 4.0.15 Yocto Project versions 4.3.x through 4.3.1 Bitbake versions prior to 2.6.2 **Description** The issue is related to missing input validation in the Toaster server, which is included in Bitbake. This allows an attacker to perform remote code execution in the server's shell via a crafted HTTP request. Authentication is not necessary for the attack. The Toaster server is not the default for Bitbake command line builds and is only used for the Toaster web-based user interface to Bitbake. **Recommendations** For Yocto Project versions prior to 5.0, update to version 5.0 or later. For Yocto Project versions 3.1.x through 3.1.30, update to version 3.1.31 or later. For Yocto Project versions 4.0.x through 4.0.15, update to version 4.0.16 or later. For Yocto Project versions 4.3.x through 4.3.1, update to version 4.3.2 or later. For Bitbake versions prior to 2.6.2, update to version 2.6.2 or later. As a temporary workaround, consider disabling the Toaster server until a patch is available. Restrict access to the Toaster web-based user interface to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** SourceCodester Testimonial Page Manager version 1.0 **Description** A vulnerability was found in the HTTP POST Request Handler component, specifically in the file add-testimonial.php. The manipulation of the `name`, `description`, or `testimony` arguments leads to cross-site scripting. The attack can be initiated remotely. **Recommendations** For SourceCodester Testimonial Page Manager version 1.0, consider disabling the `add-testimonial.php` file or restricting access to it until a patch is available. Additionally, avoid using the `name`, `description`, and `testimony` arguments in the affected HTTP POST Request Handler until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SourceCodester Testimonial Page Manager version 1.0 **Description** A critical issue has been found in the processing of the file delete-testimonial.php of the component HTTP GET Request Handler. The manipulation of the `testimony` argument leads to SQL injection. The attack may be initiated remotely. **Recommendations** For SourceCodester Testimonial Page Manager version 1.0, as a temporary workaround, consider restricting access to the delete-testimonial.php file until a patch is available. Avoid using the `testimony` argument in the affected HTTP GET Request Handler to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** SourceCodester Wedding Guest e-Book version 1.0 **Description** A vulnerability was found in SourceCodester Wedding Guest e-Book, affecting an unknown part of the file "/endpoint/add-guest.php". The manipulation of the `name` argument leads to cross-site scripting. It is possible to initiate the attack remotely. **Recommendations** For version 1.0, consider disabling access to the "/endpoint/add-guest.php" endpoint until a patch is available. Restrict the manipulation of the `name` argument to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** SourceCodester Card Holder Management System version 1.0 **Description** A vulnerability was found in the SourceCodester Card Holder Management System, affecting some unknown functionality of the component Minus Value Handler. The manipulation leads to improper validation of specified quantity in input. The attack may be launched remotely. **Recommendations** For SourceCodester Card Holder Management System version 1.0, consider restricting access to the Minus Value Handler component until a patch is available. As a temporary workaround, avoid using the affected functionality to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.