Paradisecongo

**Name of the Vulnerable Software and Affected Versions** Sales & Company Management System (SCMS) versions prior to 2018-06-06 **Description** An issue was discovered in the system, where there is a CSRF vulnerability in the `member email.php` file, specifically when the `action` parameter is set to `edit`. **Recommendations** For versions prior to 2018-06-06, as a temporary workaround, consider implementing CSRF protection measures to prevent exploitation of the `member/member email.php?action=edit` endpoint until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Sales & Company Management System (SCMS) versions prior to 2018-06-06 **Description** An issue allows modification of an email address between the request for a validation code and the entry of the validation code. This can lead to storage of an XSS payload contained in the modified address. **Recommendations** For versions prior to 2018-06-06, as a temporary workaround, consider restricting modifications to email addresses during the validation code process until a fix is available.

**Name of the Vulnerable Software and Affected Versions** Sales & Company Management System (SCMS) versions prior to 2018-06-06 **Description** The issue is related to SQL injection via the `type` parameter in the "member/member order.php" endpoint, specifically involving the `O state` parameter. **Recommendations** For versions prior to 2018-06-06, as a temporary workaround, consider restricting access to the "member/member order.php" endpoint until a patch is available. Avoid using the `type` parameter in this endpoint, especially with user-supplied input, to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Sales & Company Management System (SCMS) versions prior to 2018-06-06 **Description** The issue arises from a discrepancy in `username` checking between two components, one performing string validation and the other querying a MySQL database. This discrepancy allows for the registration of a new account with a duplicate `username`, as shown by using the `test%c2` string when a `test` account already exists. **Recommendations** For Sales & Company Management System (SCMS) versions prior to 2018-06-06, consider implementing additional validation to ensure `username` uniqueness before allowing new account registrations. As a temporary workaround, restrict access to the account registration feature to minimize the risk of exploitation.