Soulfood

**Name of the Vulnerable Software and Affected Versions** Flygo (affected versions not specified) **Description** The bulletin function does not filter special characters while a new announcement is added, allowing remote attackers to inject JavaScript and execute stored XSS attacks using a general user's credentials. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Flygo (affected versions not specified) **Description** The bulletin function of Flygo contains an Insecure Direct Object Reference (IDOR) issue. After being authenticated as a general user, remote attackers can manipulate the bulletin ID in specific URL parameters, such as `/bulletin/{id}`, and access and modify particular bulletin content. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Flygo (affected versions not specified) **Description** The check-in record page of Flygo contains an Insecure Direct Object Reference (IDOR) issue. After being authenticated as a general user, remote attackers can manipulate the `employee ID` and `date` in specific parameters to access a particular employee's check-in record. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Flygo (affected versions not specified) **Description** The employee management page of Flygo contains an Insecure Direct Object Reference (IDOR) issue. After being authenticated as a general user, remote attackers can manipulate the employee ID in specific parameters to access an employee's data, modify it, and then obtain administrator privilege and execute arbitrary commands. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Flygo (affected versions not specified) **Description** The employee management page of Flygo contains an Insecure Direct Object Reference (IDOR) issue. After being authenticated as a general user, a remote attacker can manipulate user data and then overwrite another employee's user data by specifying that employee's ID in the `API parameter`. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.