N0Kovo

**Name of the Vulnerable Software and Affected Versions** RemoteClinic version 2.0 **Description** The issue is related to a SQL injection vulnerability. This vulnerability is located in the `ID` parameter of the "/medicines/stocks.php" API endpoint. **Recommendations** For RemoteClinic version 2.0, avoid using the `ID` parameter in the "/medicines/stocks.php" endpoint until the issue is resolved. Consider restricting access to this endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** RemoteClinic version 2.0 **Description** The issue is a SQL injection vulnerability located in the /staff/edit.php file. This vulnerability can be exploited through the `username` and `password` variables. **Recommendations** For RemoteClinic version 2.0, as a temporary workaround, consider disabling access to the /staff/edit.php file until a patch is available. Restrict access to the `username` and `password` variables in the affected API endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** RemoteClinic version 2.0 **Description** The issue is caused by a lack of input validation and access control in the "staff/register.php" endpoint and the "edit-my-profile.php" page. This allows a remote attacker with low-privileged user credentials to create admin users, escalate privileges, and execute arbitrary code on the target system via a PHP shell. By sending specially crafted requests to the RemoteClinic application, an attacker can upload a PHP file containing arbitrary code and execute arbitrary commands. **Recommendations** For RemoteClinic version 2.0, consider disabling access to the "staff/register.php" endpoint and the "edit-my-profile.php" page until a patch is available. Restrict the ability to upload PHP files to prevent arbitrary code execution. As a temporary workaround, limit the privileges of low-privileged user credentials to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** RemoteClinic version 2.0 **Description** The issue concerns a time-based blind SQL injection attack. This attack occurs in the `start` GET parameter of the "patients/index.php" API endpoint. The estimated number of potentially affected devices worldwide is not specified. There is no information provided about real-world incidents where this issue was exploited. **Recommendations** For RemoteClinic version 2.0, as a temporary workaround, consider restricting access to the "patients/index.php" API endpoint until a patch is available. Avoid using the `start` parameter in this endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: GramAddict versions 1.2.3 and earlier Description: The issue allows remote attackers to execute arbitrary code because of the use of UIAutomator2 and ATX-Agent. The attacker must be able to reach TCP port 7912, for example, by being on the same Wi-Fi network. Recommendations: For GramAddict versions 1.2.3 and earlier, update to version 1.2.5 or later to resolve the issue. As a temporary workaround, consider restricting access to TCP port 7912 to minimize the risk of exploitation.