Raj Nandi

**Name of the Vulnerable Software and Affected Versions** CodeAstro Online Railway Reservation System version 1.0 **Description** A critical issue was found in the CodeAstro Online Railway Reservation System, affecting some unknown functionality of the file /admin/emp-profile-avatar.php of the component Profile Photo Update Handler. This issue leads to unrestricted upload and can be exploited remotely. The exploit has been disclosed to the public. **Recommendations** For CodeAstro Online Railway Reservation System version 1.0, consider disabling the Profile Photo Update Handler functionality until a patch is available to prevent unrestricted upload. Restrict access to the /admin/emp-profile-avatar.php file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** CodeAstro Online Railway Reservation System version 1.0 **Description** A vulnerability was found in the system, affecting unknown code of the file /admin/assets/. The manipulation leads to exposure of information through directory listing. The attack can be initiated remotely. Implementing strict firewall rules to protect /admin/assets/ is recommended to minimize the risk of unauthorized access. **Recommendations** For CodeAstro Online Railway Reservation System version 1.0, implement strict firewall rules to protect the /admin/assets/ directory until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SourceCodester Prison Management System version 1.0 **Description** A vulnerability has been found in the SourceCodester Prison Management System, affecting some unknown processing of the file `/uploadImage/Profile/` of the component Profile Image Handler. The manipulation leads to insufficiently protected credentials. The attack may be initiated remotely. **Recommendations** For SourceCodester Prison Management System version 1.0, consider restricting access to the `/uploadImage/Profile/` endpoint until a patch is available. As a temporary workaround, review and enhance credential protection mechanisms to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** CodeAstro Online Railway Reservation System version 1.0 **Description** A problem has been found in the file /admin/admin-update-employee.php of the component Update Employee Page. The manipulation of the arguments `emp fname`, `emp lname`, `emp nat idno`, and `emp addr` leads to cross-site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. **Recommendations** For CodeAstro Online Railway Reservation System version 1.0, as a temporary workaround, consider disabling the Update Employee Page functionality until a patch is available. Restrict access to the /admin/admin-update-employee.php file to minimize the risk of exploitation. Avoid using the arguments `emp fname`, `emp lname`, `emp nat idno`, and `emp addr` in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.