Suffer

**Name of the Vulnerable Software and Affected Versions** CodeCanyon Perfex CRM versions prior to 3.4.2 **Description** A flaw in the Admin Kanban Endpoint allows for remote SQL injection, which is a technique where malicious SQL statements are inserted into entry fields for execution. The issue exists within the `AbstractKanban::applySortQuery()` function located in the `application/services/AbstractKanban.php` file, specifically caused by the manipulation of the `this` argument. **Recommendations** Update to version 3.4.2 or later. As a temporary workaround, restrict access to the Admin Kanban Endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** CodeCanyon Perfex CRM versions prior to 3.4.2 **Description** An authorization bypass exists in the Tenant Handler component within the `Clients::project()` function of the `application/controllers/Clients.php` file. A remote attacker can exploit this by manipulating the `ID` argument. **Recommendations** Update to version 3.4.2 or later. As a temporary workaround, restrict access to the `Clients::project()` function until the update is applied.

**Name of the Vulnerable Software and Affected Versions** CodeCanyon Perfex CRM version 3.2.1 **Description** A vulnerability was found in CodeCanyon Perfex CRM. It has been classified as problematic. Affected is an unknown function of the file /perfex/clients/project/2 of the component Project Discussions Module. The manipulation of the `argument description` leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. **Recommendations** For CodeCanyon Perfex CRM version 3.2.1, consider disabling the unknown function of the file /perfex/clients/project/2 of the component Project Discussions Module until a patch is available. Restrict access to the Project Discussions Module to minimize the risk of exploitation. Avoid using the `argument description` in the affected module until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** CodeCanyon Perfex CRM versions up to 3.2.1 **Description** A vulnerability has been found in the Contracts component of CodeCanyon Perfex CRM, affecting unknown code of the file /contract. The manipulation of the `content` argument leads to cross-site scripting. The attack can be initiated remotely. **Recommendations** For CodeCanyon Perfex CRM versions up to 3.2.1, consider disabling access to the /contract endpoint of the Contracts component until a patch is available. Restrict the manipulation of the `content` argument to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: CodeCanyon CRMGo SaaS versions up to 7.2 Description: A problematic issue has been found in the software, affecting some unknown processing of the file "/project/task/{task id}/show". The manipulation of the `comment` argument leads to cross-site scripting. The attack may be initiated remotely. Recommendations: For versions up to 7.2, consider disabling access to the "/project/task/{task id}/show" endpoint until a patch is available. Restrict the use of the `comment` argument in this endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

Name of the Vulnerable Software and Affected Versions: CodeCanyon RISE Ultimate Project Manager version 3.7.0 Description: A critical issue has been identified, affecting the /index.php/dashboard/save file. The `id` argument is susceptible to SQL injection, allowing for remote attacks. Recommendations: For CodeCanyon RISE Ultimate Project Manager version 3.7.0, it is recommended to upgrade the affected component to a newer version to mitigate the risk of SQL injection. As a temporary workaround, consider restricting access to the /index.php/dashboard/save endpoint until a patch is available. Avoid using the `id` argument in the affected endpoint until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: Perfex CRM version 3.1.6 Description: A problem exists in the file application/controllers/Clients.php of the component Parameter Handler. The manipulation of the `message` argument leads to cross-site scripting. The attack can be initiated remotely. It is recommended to apply a patch to fix this issue. Recommendations: For Perfex CRM version 3.1.6, apply a patch to fix this issue. As a temporary workaround, consider restricting access to the vulnerable `message` parameter in the affected API endpoint until a patch is available.

Name of the Vulnerable Software and Affected Versions: QDocs Smart School Management System version 7.0.0 Description: A critical vulnerability was found in the QDocs Smart School Management System. The issue affects an unknown functionality of the file /user/chat/mynewuser of the component Chat. The manipulation of the argument `users[]` with a specific input as part of a POST request parameter leads to SQL injection. The attack can be launched remotely. Recommendations: For QDocs Smart School Management System version 7.0.0, upgrade to version 7.0.1 to address this issue. As a temporary workaround, consider restricting access to the vulnerable Chat component until the upgrade is applied. Avoid using the `users[]` argument in the affected API endpoint until the issue is resolved.