Webray.Com.Cn

**Name of the Vulnerable Software and Affected Versions** SourceCodester/janobe Resort Reservation System version 1.0 **Description** A flaw exists that allows unrestricted file uploads. This is due to improper handling of the `image` argument within the `doInsert` function located in the `/controller.php?action=add` file. The issue can be exploited remotely. The exploit details have been publicly disclosed. **Recommendations** Apply a fix to the `doInsert` function in the `/controller.php?action=add` file to prevent unrestricted file uploads.

**Name of the Vulnerable Software and Affected Versions** SourceCodester/janobe Resort Reservation System version 1.0 **Description** A flaw exists in the processing of the `/room rates.php` file within the software. Manipulation of the `q` argument in this file can lead to a SQL injection condition. This issue is remotely exploitable, and details about the exploit are publicly available. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SourceCodester/janobe Resort Reservation System version 1.0 **Description** A SQL injection issue exists in SourceCodester/janobe Resort Reservation System version 1.0. The issue is located in the `/accomodation.php` file. Manipulation of the `q` argument can lead to SQL injection, allowing for remote exploitation. The exploit has been publicly disclosed. **Recommendations** Apply any available updates to address the vulnerability in the `/accomodation.php` file. Sanitize the `q` argument to prevent SQL injection attacks. As a temporary workaround, restrict access to the `/accomodation.php` file.

**Name of the Vulnerable Software and Affected Versions** SourceCodester/Patrick Mvuma Patients Waiting Area Queue Management System version 1.0 **Description** A flaw exists in SourceCodester/Patrick Mvuma Patients Waiting Area Queue Management System version 1.0 related to cross site scripting. The issue is triggered by manipulating the `patient id` argument in the /appointments.php file. This allows for remote attacks. The exploit is publicly available. **Recommendations** Apply any available updates or patches for the application. As a temporary workaround, sanitize the `patient id` input to prevent script injection. Restrict access to the /appointments.php file if possible.

**Name of the Vulnerable Software and Affected Versions** SourceCodester/Patrick Mvuma Patients Waiting Area Queue Management System version 1.0 **Description** A flaw exists in the Patients Waiting Area Queue Management System that allows for cross site scripting. This manipulation occurs through the `patient id` argument in the /checkin.php file and can be initiated remotely. The exploit has been published. **Recommendations** Apply any available updates or patches for the Patients Waiting Area Queue Management System. As a temporary workaround, consider restricting access to the /checkin.php file. Sanitize the `patient id` input to prevent the injection of malicious scripts.

**Name of the Vulnerable Software and Affected Versions** baowzh hfly versions prior to 638ff9abe9078bc977c132b37acbe1900b63491c **Description** A path traversal weakness exists in baowzh hfly. The issue is related to the manipulation of the `filename` argument within an unknown function of the file '/admin/index.php/datafile/delfile'. This allows for remote exploitation. The exploit has been publicly released. The vendor was notified but did not respond. **Recommendations** Versions prior to 638ff9abe9078bc977c132b37acbe1900b63491c should be updated.

**Name of the Vulnerable Software and Affected Versions** baowzh hfly versions prior to 638ff9abe9078bc977c132b37acbe1900b63491c **Description** A security issue exists in baowzh hfly that allows for path traversal. This occurs due to manipulation of the `filename` argument in the `/admin/index.php/datafile/download` API endpoint. The vulnerability is present in an unknown function within the `/admin/index.php/datafile/download` file. The exploit has been publicly disclosed and may be used remotely. The vendor was notified but did not respond. **Recommendations** Apply updates to versions prior to 638ff9abe9078bc977c132b37acbe1900b63491c. As a temporary workaround, restrict access to the `/admin/index.php/datafile/download` API endpoint. Avoid using the `filename` parameter in the `/admin/index.php/datafile/download` API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** baowzh hfly (affected versions not specified) **Description** A flaw exists that allows for unrestricted file uploads. The issue is located in an unknown function within the `/Public/Kindeditor/php/upload json.php` file. Manipulation of the `imgFile` argument enables this unrestricted upload, and the attack can be initiated remotely. The exploit is publicly available. The vendor was contacted regarding this disclosure but did not respond. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** baowzh hfly versions prior to 638ff9abe9078bc977c132b37acbe1900b63491c **Description** A security flaw exists due to cross site scripting in the processing of the `/admin/index.php/advtext/add` file within the advtext Module. The attack can be carried out remotely. The exploit is publicly available. The vendor was notified but did not respond. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SourceCodester Best Church Management Software version 1.0 **Description** A critical issue affects some unknown processing of the file /fpassword.php. The manipulation of the argument `email` leads to SQL injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. **Recommendations** As a temporary workaround, consider restricting access to the /fpassword.php file until a patch is available. Avoid using the `email` argument in the affected file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SourceCodester Best Church Management Software version 1.0 **Description** The issue concerns a cross-site scripting problem. It involves the "/admin/redirect.php" API endpoint. **Recommendations** For SourceCodester Best Church Management Software version 1.0, as a temporary workaround, consider restricting access to the "/admin/redirect.php" endpoint until a patch is available.

**Name of the Vulnerable Software and Affected Versions** SourceCodester Best Employee Management System version 1.0 **Description** A vulnerability has been found in the processing of the file /admin/salary slip.php. The manipulation of the `id` argument leads to authorization bypass. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. **Recommendations** As a temporary workaround, consider disabling access to the /admin/salary slip.php file until a patch is available. Restrict the manipulation of the `id` argument to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** SourceCodester Best Church Management Software version 1.0 **Description** A critical vulnerability was found in the software, affecting an unknown functionality of the file /admin/app/asset crud.php. The manipulation of the `photo1` argument leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. **Recommendations** As a temporary workaround, consider disabling the upload functionality in the /admin/app/asset crud.php file until a patch is available. Restrict access to the `photo1` argument in the affected API endpoint to minimize the risk of exploitation. Avoid using the /admin/app/asset crud.php file for uploading files until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SourceCodester Best Church Management Software version 1.0 **Description** A vulnerability was found in the software, rated as problematic. It affects some unknown functionality of the file /admin/app/profile crud.php. The manipulation of the `old cat img` argument leads to path traversal: '../filedir'. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. **Recommendations** As a temporary workaround, consider restricting access to the `/admin/app/profile crud.php` file until a patch is available. Avoid using the `old cat img` argument in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SourceCodester Best Employee Management System version 1.0 **Description** A vulnerability was found in the SourceCodester Best Employee Management System, affecting unknown code of the file /admin/backup/backups.php. This leads to information disclosure and can be initiated remotely. The exploit has been disclosed to the public, and the vendor was contacted but did not respond. **Recommendations** As a temporary workaround, consider disabling access to the /admin/backup/backups.php file until a patch is available. Restrict access to the `backups.php` file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SourceCodester Best House Rental Management System version 1.0 **Description** A critical issue has been found in the system, affecting the file /ajax.php?action=update account. The manipulation of the arguments `firstname`, `lastname`, or `email` leads to SQL injection. This issue can be initiated remotely. The exploit has been disclosed to the public and may be used. **Recommendations** For SourceCodester Best House Rental Management System version 1.0, consider disabling the `/ajax.php?action=update account` endpoint until a patch is available. Restrict access to this endpoint to minimize the risk of exploitation. Avoid using the arguments `firstname`, `lastname`, or `email` in the affected endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** SourceCodester Best House Rental Management System version 1.0 **Description** A critical vulnerability has been found in the system, affecting some unknown functionality of the file "/ajax.php?action=signup". The manipulation of the arguments `firstname`, `lastname`, and `email` leads to SQL injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. **Recommendations** For SourceCodester Best House Rental Management System version 1.0, consider disabling the `/ajax.php?action=signup` endpoint until a patch is available. Restrict access to this endpoint to minimize the risk of exploitation. Avoid using the arguments `firstname`, `lastname`, and `email` in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: SourceCodester Best House Rental Management System version 1.0 Description: A vulnerability has been found in the system, classified as problematic, affecting an unknown functionality of the file /ajax.php?action=save category. The manipulation of the `name` argument leads to cross-site scripting. The attack can be launched remotely. This issue poses risks such as data theft and site defacement. Recommendations: For version 1.0, patch the system and validate input on the backend to prevent exploitation. As a temporary workaround, consider restricting access to the /ajax.php?action=save category endpoint until a patch is available. Additionally, avoid using the `name` argument in the affected endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** SourceCodester FAQ Management System version 1.0 **Description** A problematic issue has been found in the Update FAQ component, where the manipulation of the `Frequently Asked Question` argument leads to cross-site scripting. The attack can be launched remotely. **Recommendations** For SourceCodester FAQ Management System version 1.0, consider restricting access to the Update FAQ component until a patch is available. As a temporary workaround, avoid using the `Frequently Asked Question` argument in the affected functionality to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** SourceCodester Online Learning System V2 version 1.0 **Description** A problematic issue was found in the software, affecting an unknown function of the file /index.php. The manipulation of the `page` argument leads to cross-site scripting. It is possible to launch the attack remotely. The issue has been disclosed to the public. **Recommendations** For version 1.0, consider disabling the affected function in /index.php until a patch is available. Restrict access to the /index.php file to minimize the risk of exploitation. Avoid using the `page` argument in the affected endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this issue.