Seawind

**Name of the Vulnerable Software and Affected Versions** Zabbix versions prior to 7.4.6 **Description** A Zabbix user with API access can exploit a blind SQL injection in the `CApiService.php` file. The issue resides in the `sortfield` parameter, allowing an attacker to execute arbitrary SQL selects. While query results are not directly returned, data can be exfiltrated using time-based techniques. This could lead to the disclosure of session identifiers and compromise of administrator accounts. The vulnerable component is located at the API endpoint include/classes/api/`CApiService.php`. The vulnerable parameter is `sortfield`. **Recommendations** Update to Zabbix version 7.4.6 or later.

**Name of the Vulnerable Software and Affected Versions** SourceCodester Inventory Management System version 1.0 **Description** A vulnerability was found in the system, affecting an unknown functionality of the file /app/action/add staff.php. The manipulation leads to cross site scripting. The attack can be launched remotely. **Recommendations** For SourceCodester Inventory Management System version 1.0, consider restricting access to the /app/action/add staff.php file until a patch is available. As a temporary workaround, avoid using the add staff functionality to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** PHPGurukul Online Shopping Portal version 2.0 **Description** A critical vulnerability was found in the Admin Panel component of the PHPGurukul Online Shopping Portal, specifically affecting the file /shopping/admin/index.php. The manipulation of the `username` argument leads to SQL injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. **Recommendations** For PHPGurukul Online Shopping Portal version 2.0, consider disabling the `username` argument in the /shopping/admin/index.php file as a temporary workaround until a patch is available. Restrict access to the Admin Panel to minimize the risk of exploitation. Avoid using the `username` argument in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.