Sp1D3R

**Name of the Vulnerable Software and Affected Versions** MrNanko webp4j versions up to 1.3.x **Description** A flaw exists in the DecodeGifFromMemory function within the src/main/c/gif decoder.c file of MrNanko webp4j. Manipulation of the `canvas height` argument can lead to an integer overflow. Local access is needed for exploitation. The exploit is publicly available. **Recommendations** Implement the patch 89771b201c66d15d29e4cc016d8aae82b6a5fbe1 to correct this issue.

Name of the Vulnerable Software and Affected Versions: itsourcecode Agri-Trading Online Shopping System version 1.0 Description: A critical issue has been discovered in the itsourcecode Agri-Trading Online Shopping System. The problem affects an unknown function within the /admin/suppliercontroller.php file. Manipulation of the `supplier` argument leads to SQL injection. This issue can be exploited remotely. Recommendations: For version 1.0, consider disabling the unknown function in the /admin/suppliercontroller.php file until a patch is available. Restrict access to the /admin/suppliercontroller.php file to minimize the risk of exploitation. Avoid using the `supplier` argument in the affected function until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: itsourcecode Employee Management System version 1.0 Description: A critical issue has been found, affecting an unknown part of the file /admin/editempprofile.php. The manipulation of the `FirstName` argument leads to SQL injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. Recommendations: For itsourcecode Employee Management System version 1.0, consider restricting access to the /admin/editempprofile.php file and avoid using the `FirstName` parameter until a patch is available. As a temporary workaround, restrict the use of the `FirstName` argument in the affected file to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Campcodes Online Recruitment Management System version 1.0 Description: A critical issue affects the processing of the file Recruitment/admin/view application.php, where the manipulation of the `ID` argument leads to SQL injection. The attack can be initiated remotely. Recommendations: For Campcodes Online Recruitment Management System version 1.0, consider restricting access to the Recruitment/admin/view application.php file until a patch is available. As a temporary workaround, avoid using the `ID` argument in the affected file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Campcodes Online Recruitment Management System version 1.0 Description: A critical issue was found in the system, affecting an unknown functionality of the file /admin/ajax.php?action=save settings, specifically the About Content Page component. The manipulation of the `img` argument leads to unrestricted upload. This issue can be exploited remotely. Recommendations: For Campcodes Online Recruitment Management System version 1.0, as a temporary workaround, consider restricting access to the `/admin/ajax.php?action=save settings` endpoint to minimize the risk of exploitation. Avoid using the `img` argument in the affected endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** horilla versions up to 1.2.1 **Description** A critical vulnerability was found in horilla, affecting the function `request new/get employee shift/create reimbursement/key result current value update/create meetings/create skills`. The manipulation leads to deserialization. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. **Recommendations** For versions up to 1.2.1, as a temporary workaround, consider disabling the `request new/get employee shift/create reimbursement/key result current value update/create meetings/create skills` function until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** welliamcao OpsManage versions 3.0.1 through 3.0.5 **Description** A critical issue affects the `deploy host vars` function of the `/apps/api/views/deploy api.py` file in the API Endpoint component. This issue leads to deserialization and can be initiated remotely. The exploit has been publicly disclosed. **Recommendations** For welliamcao OpsManage versions 3.0.1 through 3.0.5, consider disabling the `deploy host vars` function as a temporary workaround until a patch is available. Restrict access to the `/apps/api/views/deploy api.py` file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.