Naklehzeidan21

**Name of the Vulnerable Software and Affected Versions** Horilla versions prior to 1.3.1 **Description** Horilla is a free and open source Human Resource Management System (HRMS). An authenticated Remote Code Execution (RCE) issue exists due to the unsafe use of Python’s `eval()` function on a user-controlled query parameter in the `project bulk archive` view. This allows privileged users, such as administrators, to execute arbitrary system commands on the server. Exploitation is possible even when Django’s DEBUG mode is set to False, by using blind payloads like a reverse shell, resulting in full remote code execution. **Recommendations** Update to version 1.3.1 or later.

**Name of the Vulnerable Software and Affected Versions** Horilla version 1.3.0 **Description** Horilla is a Human Resource Management System (HRMS). Unauthenticated users can access uploaded resume files by directly guessing or predicting file URLs. These files are stored in a publicly accessible directory, potentially exposing sensitive candidate information without authentication. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Horilla HRM version 1.3.0 **Description** Horilla is a free and open source Human Resource Management System (HRMS). A stored cross-site scripting (XSS) issue in Horilla HRM version 1.3.0 allows authenticated admin or privileged users to inject malicious JavaScript payloads into multiple fields within the Project and Task modules. These payloads are stored in the database and executed when viewed by an admin or other privileged users through the web interface. The issue is not exploitable by unauthenticated users but poses a risk of session hijacking and unauthorized actions within high-privilege accounts. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Phproject versions 1.8.0 through 1.8.2 Description: Phproject is a high performance full-featured project management system. A Stored Cross-Site Scripting (XSS) vulnerability exists in the Planned Hours field when creating a new project. A malicious payload can be crafted and included in the `planned hours` parameter within a POST request to the `/issues/new/` API endpoint. The server reflects the input directly in the HTML of the project creation page, leading to execution of the malicious script. Recommendations: Update to Phproject version 1.8.3 or later.

Name of the Vulnerable Software and Affected Versions: Part-DB versions prior to 1.17.3 Description: Part-DB is an open source inventory management system for electronic components. Prior to version 1.17.3, any authenticated user could upload a profile picture with a misleading file extension (e.g., `.jpg.txt`), resulting in a persistent 500 Internal Server Error when attempting to view or edit that user’s profile. This makes the profile permanently inaccessible via the user interface for both users and administrators, constituting a Denial of Service (DoS) within the user management interface. Recommendations: Update Part-DB to version 1.17.3 or later.