N1X_ [Ms-Web]

**Name of the Vulnerable Software and Affected Versions** Web Wiz Forums version 12.01 **Description** The software contains an SQL injection issue that allows unauthenticated attackers to manipulate database queries. Attackers can inject SQL code through the `PF` parameter. By sending GET requests to the ''member profile.asp'' endpoint with malicious `PF` values, attackers can extract sensitive database information. **Recommendations** Apply updates to address the issue in Web Wiz Forums version 12.01.

**Name of the Vulnerable Software and Affected Versions** DIGIT CENTRIS ERP (affected versions not specified) **Description** The software contains an SQL injection issue that allows unauthenticated attackers to manipulate database queries. This is achieved by injecting SQL code through the `datum1`, `datum2`, `KID`, and `PID` parameters. Attackers can send POST requests to the `/korisnikinfo.php` API endpoint with malicious SQL syntax in these parameters to extract or modify sensitive database information. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** NoviSmart CMS (affected versions not specified) **Description** NoviSmart CMS has a flaw that allows remote attackers to execute arbitrary SQL queries. This is possible by injecting malicious code through the Referer HTTP header field. Attackers can use time-based SQL injection payloads within the `Referer` header to extract sensitive database information or cause a denial of service. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** WebIncorp ERP (affected versions not specified) **Description** The software contains an SQL injection issue that allows unauthenticated attackers to manipulate database queries. Attackers can inject SQL code through the `prod id` parameter. By sending GET requests to the ''product detail.php'' endpoint with malicious `prod id` values, attackers can extract sensitive database information. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.