Sadik Cetin

**Name of the Vulnerable Software and Affected Versions** thesystem version 1.0 **Description** The software contains a command injection issue that enables unauthenticated attackers to execute arbitrary system commands. Attackers can submit malicious input to the `run command` endpoint. Specifically, attackers can send POST requests with shell commands in the `command` parameter to execute arbitrary code on the server without authentication. **Recommendations** Apply a fix to address the command injection issue in the `run command` endpoint. Restrict access to the `run command` endpoint. Sanitize or validate the `command` parameter to prevent the execution of arbitrary shell commands.

**Name of the Vulnerable Software and Affected Versions** TheSystem version 1.0 **Description** The software contains a SQL injection flaw that enables attackers to bypass authentication. This is achieved by manipulating the `server name` parameter to inject malicious SQL code, such as ' or '1=1', allowing unauthorized access to database records and potentially sensitive system information. **Recommendations** Apply input validation and sanitization to the `server name` parameter to prevent the injection of malicious SQL code.