Tiancesec

**Name of the Vulnerable Software and Affected Versions** code-projects Online Reviewer System version 1.0 **Description** A SQL injection issue exists in code-projects Online Reviewer System 1.0. The issue is located in the file `/system/system/students/assessments/results/studentresult-view.php`. Manipulation of the `test id` argument allows for remote exploitation. The exploit has been publicly released. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** code-projects Online Reviewer System version 1.0 **Description** A flaw exists in code-projects Online Reviewer System 1.0 that allows for cross site scripting. The issue is located in the file /system/system/admins/manage/users/btn functions.php, where manipulation of the `firstname` argument can trigger the attack. The attack can be launched remotely and the exploit is publicly available. **Recommendations** Apply a fix to address the manipulation of the `firstname` argument in the /system/system/admins/manage/users/btn functions.php file.

**Name of the Vulnerable Software and Affected Versions** code-projects Online Reviewer System version 1.0 **Description** A flaw exists in code-projects Online Reviewer System 1.0 that allows for remote manipulation. Specifically, the `test id` argument in the file '/system/system/admins/assessments/pretest/exam-delete.php' is susceptible to SQL injection. The exploit for this issue has been publicly disclosed. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** code-projects Online Reviewer System version 1.0 **Description** A security flaw exists in code-projects Online Reviewer System 1.0, specifically within the Login component’s `/login/index.php` file. Manipulation of the `Username` argument can lead to SQL injection. The attack can be carried out remotely, and an exploit has been publicly released. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** code-projects Online Reviewer System version 1.0 **Description** A security issue exists in code-projects Online Reviewer System 1.0. The manipulation of the `ID` argument in the file '/system/system/students/assessments/pretest/take/index.php' can lead to SQL injection. This attack can be initiated remotely. The exploit has been publicly disclosed. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** code-projects Project Monitoring System version 1.0 **Description** A SQL injection issue exists in the Project Monitoring System 1.0. The flaw is located in an unknown function within the `/useredit.php` script. Manipulation of the `uid` parameter allows for the execution of arbitrary SQL commands remotely. The exploit has been made public. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Simple Food Ordering System version 1.0 **Description** A SQL injection issue exists in Simple Food Ordering System version 1.0. Manipulation of the `Category` argument in an unknown function within the `/product.php` file can lead to SQL injection. The attack can be launched remotely and an exploit is publicly available. **Recommendations** Apply a fix for Simple Food Ordering System version 1.0 to address the SQL injection issue in the `/product.php` file.

**Name of the Vulnerable Software and Affected Versions** IdeaCMS versions up to 1.8 **Description** A command injection issue exists in IdeaCMS. The issue is located in an unknown function within the `app/common/logic/admin/Config.php` file of the Website Name Handler component. Manipulation of the `网站名称` argument can lead to remote command injection. The exploit has been publicly released, and the vendor was notified but did not respond. **Recommendations** Versions prior to 1.9 are affected. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** CmsEasy versions up to 7.7.7 **Description** A flaw exists in CmsEasy that may allow for cross site scripting. This issue affects an unknown function within the `lib/inc/view.php` component of the URL Handler. Manipulation of the `PHP SELF` argument can be used to exploit this issue, and the attack can be launched remotely. The details of the issue have been publicly disclosed. **Recommendations** Update CmsEasy to a version newer than 7.7.7.

**Name of the Vulnerable Software and Affected Versions** PHPGurukul Employee Record Management System version 1.3 **Description** A security issue exists in PHPGurukul Employee Record Management System version 1.3. Manipulation of the `First name` argument in the /myprofile.php file can lead to cross site scripting. This can be exploited remotely. The exploit has been publicly disclosed. **Recommendations** Update to a newer version that contains a fix for this vulnerability.