Shaikh Shahnawaz

Name of the Vulnerable Software and Affected Versions: RSI Queue Management System version 3.0 Description: An unauthenticated blind SQL injection issue exists within the `TaskID` parameter of the GET request handler. This allows attackers to remotely inject time-delayed SQL payloads, inducing server response delays and enabling time-based inference and iterative extraction of sensitive database contents without authentication. Recommendations: For RSI Queue Management System version 3.0, consider disabling the `TaskID` parameter in the GET request handler until a patch is available. Restrict access to the GET request handler to minimize the risk of exploitation. Avoid using the `TaskID` parameter until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Quorum onQ OS version 6.0.0.5.2064 **Description** The issue allows a remote attacker to obtain sensitive information via the `msg` parameter in the "Login page" API endpoint. This is a Cross Site Scripting vulnerability. **Recommendations** For Quorum onQ OS version 6.0.0.5.2064, consider disabling the `msg` parameter in the Login page until a patch is available. Restrict access to the Login page to minimize the risk of exploitation. Avoid using the `msg` parameter in the affected API endpoint until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: AutoLib Software Systems OPAC version 20.10 Description: The issue concerns exposed API keys within the source code. Attackers may use these keys to access the backend API or other sensitive information. Recommendations: For AutoLib Software Systems OPAC version 20.10, remove or securely store the exposed API keys to prevent unauthorized access to the backend API or sensitive information. Consider regenerating new API keys and updating the source code to use these new keys. As a temporary workaround, consider restricting access to the backend API until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** TP-Link JetStream Smart Switch TL-SG2210P version 5.0 Build 20211201 **Description** The issue is related to improper access control, allowing attackers to escalate privileges via modification of the `tid` and `usrlvl` values in GET requests. This can enable a remote attacker to gain elevated access. **Recommendations** For TP-Link JetStream Smart Switch TL-SG2210P version 5.0 Build 20211201, as a temporary workaround, consider restricting access to the vulnerable API endpoints that accept `tid` and `usrlvl` parameters in GET requests until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.