Sourajeet Majumder

**Name of the Vulnerable Software and Affected Versions** Netangular Technologies ChatNet AI version v1.0 **Description** A prompt injection issue in the chatbox allows attackers to access and exfiltrate all previous and subsequent chat data between the user and the AI assistant via a crafted message. **Recommendations** For Netangular Technologies ChatNet AI version v1.0, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Fusion Chat Chat AI Assistant Ask Me Anything version 1.2.4.0 **Description** A prompt injection issue in the chatbox allows attackers to access and exfiltrate all previous and subsequent chat data between the user and the AI assistant via a crafted message. **Recommendations** For version 1.2.4.0, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Blackbox AI version 1.3.95 **Description** A prompt injection issue in the chatbox allows attackers to access and exfiltrate all previous and subsequent chat data between the user and the AI assistant via a crafted message. **Recommendations** For Blackbox AI version 1.3.95, as a temporary workaround, consider restricting access to the chatbox until a patch is available. Avoid using the chatbox with sensitive information until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Butterfly Effect Limited Monica Your AI Copilot powered by ChatGPT4 version 6.3.0 **Description** A prompt injection issue in the chatbox allows attackers to access and exfiltrate all previous and subsequent chat data between the user and the AI assistant via a crafted message. **Recommendations** For version 6.3.0, as a temporary workaround, consider restricting access to the chatbox until a patch is available. Avoid using the chatbox with sensitive information until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Zhipu AI CodeGeeX version 2.17.0 **Description** A prompt injection issue in the chatbox allows attackers to access and exfiltrate all previous and subsequent chat data between the user and the AI assistant via a crafted message. **Recommendations** For Zhipu AI CodeGeeX version 2.17.0, consider disabling the chatbox functionality until a patch is available to prevent potential data exfiltration.

**Name of the Vulnerable Software and Affected Versions** Butterfly Effect Limited Monica ChatGPT AI Assistant version 2.4.0 **Description** A prompt injection issue in the chatbox allows attackers to access and exfiltrate all previous and subsequent chat data between the user and the AI assistant via a crafted message. **Recommendations** For version 2.4.0, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Digitory Multi Channel Integrated POS version 1.0 **Description** The issue is related to a lack of rate limiting in the OTP validation component, which allows attackers to gain access to the ordering system. This can lead to an excessive amount of food orders being placed. **Recommendations** For Digitory Multi Channel Integrated POS version 1.0, consider implementing rate limiting in the OTP validation component to prevent excessive access to the ordering system.

**Name of the Vulnerable Software and Affected Versions** Blood Bank and Donation Management System version 1.0 **Description** A Cross Site Scripting (XSS) issue is present in the update contact.php file, allowing an attacker to inject malicious scripts via the `name` parameter of the "update contact.php" endpoint. **Recommendations** For Blood Bank and Donation Management System version 1.0, consider restricting access to the `update contact.php` endpoint until a patch is available, and avoid using the `name` parameter in this endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Projectworld Online Voting System version 1.0 **Description** The issue allows an attacker to craft a malicious link that, when clicked by an authenticated user, automatically submits a vote for a specified party without the user's consent or knowledge. This is achieved via the `voter.php` page, leveraging the user's active session to perform the unauthorized action, compromising the integrity of the voting process. **Recommendations** For Projectworld Online Voting System version 1.0, as a temporary workaround, consider disabling the `voter.php` page until a patch is available. Restrict access to the `voter.php` page to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Monica AI Assistant desktop application version 2.3.0 **Description** The issue allows an attacker to modify the chatbot's answer with an unloaded image, which can exfiltrate the user's sensitive chat data of the current session to a malicious third-party or attacker-controlled server through a prompt injection. This enables the exposure of sensitive information to unauthorized actors. **Recommendations** For Monica AI Assistant desktop application version 2.3.0, as a temporary workaround, consider disabling the use of images in chatbot answers until a patch is available. Restrict access to sensitive chat data to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Projectworld Online Voting System version 1.0 **Description** A stored Cross-Site Scripting (XSS) issue was identified that occurs when an account is registered with a malicious javascript payload. The payload is stored and subsequently executed in the `voter.php` and `profile.php` pages whenever the account information is accessed. **Recommendations** For Projectworld Online Voting System version 1.0, consider disabling the registration of new accounts until a patch is available to prevent exploitation of the stored XSS vulnerability. Restrict access to the `voter.php` and `profile.php` pages to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Lines Police CAD version 1.0 **Description** A host header injection issue allows attackers to obtain the password reset token via user interaction with a crafted password reset link, enabling them to arbitrarily reset other users' passwords and compromise their accounts. **Recommendations** For Lines Police CAD version 1.0, consider disabling the password reset functionality until a patch is available to prevent exploitation of the host header injection issue. Restrict access to the password reset link to minimize the risk of attackers obtaining the password reset token. Avoid using crafted password reset links to prevent user interaction that could lead to account compromise.

**Name of the Vulnerable Software and Affected Versions** MEANStore version 1.0 **Description** A host header injection issue allows attackers to obtain the password reset token via user interaction with a crafted password reset link, enabling them to reset other users' passwords and compromise their accounts. **Recommendations** For MEANStore version 1.0, as a temporary workaround, consider restricting user interaction with password reset links until a patch is available. Additionally, avoid using crafted links that could exploit the host header injection vulnerability. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** BookReviewLibrary version 1.0 **Description** A host header injection issue allows attackers to obtain the password reset token via user interaction with a crafted password reset link. This is achieved through manipulating the host header, which can lead to unauthorized access to sensitive information. **Recommendations** For BookReviewLibrary version 1.0, consider disabling password reset functionality until a patch is available to prevent exploitation of the host header injection issue. Restrict access to password reset links to minimize the risk of attackers crafting malicious links. Avoid using user-interaction-based password reset mechanisms in the affected version until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** scheduleR version 0.0.18 **Description** A host header injection vulnerability allows attackers to obtain the password reset token via user interaction with a crafted password reset link. This enables attackers to arbitrarily reset other users' passwords and compromise their accounts. **Recommendations** For scheduleR version 0.0.18, consider disabling the password reset functionality until a patch is available to prevent exploitation of the host header injection vulnerability. Restrict access to the password reset link to minimize the risk of account compromise.

**Name of the Vulnerable Software and Affected Versions** kishan0725's Hospital Management System version 6.3.5 **Description** A Cross-Site Request Forgery (CSRF) issue exists, allowing an attacker to craft a malicious HTML form that submits a request to delete a doctor record. By enticing an authenticated admin user to visit the specially crafted web page, the attacker can leverage the victim's browser to make unauthorized requests to the vulnerable endpoint, effectively allowing the attacker to perform actions on behalf of the admin without their consent. **Recommendations** For version 6.3.5, consider implementing proper CSRF protection mechanisms, such as token-based validation, to prevent unauthorized requests. As a temporary workaround, restrict access to the doctor record deletion functionality to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Blood Bank And Donation Management System version 1.0 **Description** A Cross Site Scripting (XSS) issue in the `add donor.php` file allows an attacker to inject malicious scripts that will be executed when the Donor List is viewed. This enables the attacker to potentially steal user data or take control of user sessions. **Recommendations** For Blood Bank And Donation Management System version 1.0, consider disabling the `add donor.php` file or restricting access to it until a patch is available to prevent exploitation of the XSS vulnerability. Additionally, avoid using the Donor List feature in the affected version to minimize the risk of malicious script injection. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ArrowCMS version 1.0.0 **Description** A host header injection vulnerability exists in the forgot password functionality. By sending a specially crafted host header in the forgot password request, it is possible to send password reset links to users which, once clicked, lead to an attacker-controlled server and thus leak the password reset token. This may allow an attacker to reset other users' passwords. **Recommendations** As a temporary workaround, consider disabling the forgot password functionality until a patch is available. Restrict access to the forgot password feature to minimize the risk of exploitation. Avoid using the forgot password feature in ArrowCMS version 1.0.0 until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Staff Appraisal System version 1.0 **Description** A host header injection vulnerability in the Staff Appraisal System allows attackers to obtain the password reset token via user interaction with a crafted password reset link. This enables attackers to arbitrarily reset other users' passwords and compromise their accounts. **Recommendations** For Staff Appraisal System version 1.0, as a temporary workaround, consider restricting access to the password reset functionality until a patch is available. Avoid using crafted password reset links to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.