Qmss

**Name of the Vulnerable Software and Affected Versions** Slims8 Akasia version 8.3.1 **Description** The issue affects Slims8 Akasia, allowing SQL injection attacks through the `dir` parameter in several API endpoints, including "/admin/modules/bibliography/index.php", "/admin/modules/membership/member type.php", "/admin/modules/system/user group.php", and "/admin/modules/membership/index.php". This can be exploited by remotely authenticated librarian users. **Recommendations** For Slims8 Akasia version 8.3.1, consider restricting access to the vulnerable API endpoints until a patch is available. As a temporary workaround, avoid using the `dir` parameter in the affected endpoints to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Slims9 Bulian version 9.4.2 **Description** The issue is related to Cross Site Scripting (XSS) in the "/admin/modules/system/custom field.php" API endpoint. This affects the ability to securely manage custom fields within the system. **Recommendations** For Slims9 Bulian version 9.4.2, consider restricting access to the "/admin/modules/system/custom field.php" endpoint until a fix is available. Additionally, avoid using any functionality that relies on user-inputted data in this endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Slims9 Bulian version 9.4.2 **Description** The issue affects the lib/comment.inc.php file, allowing SQL injection attacks that can result in the obtainment of user data. **Recommendations** For Slims9 Bulian version 9.4.2, consider restricting access to the lib/comment.inc.php file as a temporary workaround until a patch is available. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Slims9 Bulian version 9.4.2 **Description** The issue affects the "/admin/modules/system/backup.php" API endpoint, allowing SQL injection attacks. This can result in the unauthorized obtainment of user data. **Recommendations** For Slims9 Bulian version 9.4.2, consider restricting access to the "/admin/modules/system/backup.php" endpoint until a fix is available. Additionally, as a temporary workaround, review and limit the use of user data within the system to minimize potential damage. At the moment, there is no information about a newer version that contains a fix for this vulnerability.