Saud Alenazi

**Name of the Vulnerable Software and Affected Versions** Moodle LMS version 4.0 **Description** An issue allows unauthenticated attackers to inject malicious scripts by submitting payloads through the search parameter. Specifically, JavaScript code can be injected via the search field in the 'course/search.php' endpoint to execute arbitrary scripts in users' browsers and steal session cookies. This is a cross-site scripting (XSS) flaw, which occurs when an application includes untrusted data in a web page without proper validation or escaping. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** OpenCart Core version 4.0.2.3 **Description** The software contains a SQL injection flaw that allows unauthenticated attackers to manipulate database queries. Attackers can inject SQL code through the `search` parameter. This is achieved by sending GET requests to the product search endpoint with malicious `search` values, enabling the extraction of sensitive database information using boolean-based blind or time-based blind SQL injection techniques. The API endpoint involved is the product search endpoint. **Recommendations** Apply a fix for OpenCart Core version 4.0.2.3.

**Name of the Vulnerable Software and Affected Versions** Private Internet Access version 3.3 **Description** An unquoted service path allows local users to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted path in the service configuration to inject malicious code that executes with LocalSystem permissions during service startup. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.