Pedro Gabaldón Julá

**Name of the Vulnerable Software and Affected Versions** OpenGnsys version 1.1.1d (Espeto) **Description** A SQL Injection issue has been discovered, allowing an attacker to inject malicious SQL code into the login page. This could enable the attacker to bypass the login or retrieve all the information stored in the database. **Recommendations** For OpenGnsys version 1.1.1d (Espeto), as a temporary workaround, consider restricting access to the login page until a patch is available. Avoid using the login functionality with untrusted input until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** OpenGnsys version 1.1.1d (Espeto) **Description** The issue allows an attacker to send a POST request to the endpoint '/opengnsys/images/M Icons.php' and modify the file extension due to a lack of file extension verification. This results in a webshell injection. **Recommendations** For OpenGnsys version 1.1.1d (Espeto), as a temporary workaround, consider restricting access to the '/opengnsys/images/M Icons.php' endpoint until a patch is available. Additionally, implement file extension verification to prevent unauthorized file uploads.

**Name of the Vulnerable Software and Affected Versions** OpenGnsys version 1.1.1d (Espeto) **Description** The issue allows an attacker to view a php backup file, specifically `controlaccess.php-LAST`, where database credentials are stored. This is an information exposure vulnerability. **Recommendations** For OpenGnsys version 1.1.1d (Espeto), consider restricting access to the `controlaccess.php-LAST` file to prevent unauthorized viewing of database credentials. As a temporary workaround, restrict access to this file until a patch is available.

**Name of the Vulnerable Software and Affected Versions** OpenGnsys version 1.1.1d (Espeto) **Description** The issue allows an attacker to enumerate all files in the web tree by accessing a php file. This is an information exposure vulnerability. **Recommendations** For OpenGnsys version 1.1.1d (Espeto), consider restricting access to php files until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.