Xiaozhi

**Name of the Vulnerable Software and Affected Versions** SourceCodester Pharmacy Sales and Inventory System version 1.0 **Description** Remote SQL injection is possible due to the manipulation of the `ID` argument in the '/ajax.php?action=save user' endpoint. SQL injection is a technique where an attacker inserts malicious SQL code into a query, potentially allowing them to read or modify database data. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SourceCodester Pet Grooming Management Software version 1.0 **Description** A flaw in the '/admin/update customer.php' endpoint allows for remote SQL injection. This occurs due to improper validation of the argument type, length, or business parameter validity, enabling an attacker to manipulate database queries. **Recommendations** Update SourceCodester Pet Grooming Management Software version 1.0 to a version that contains a fix for this issue. As a temporary workaround, restrict access to the '/admin/update customer.php' file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** CMS Made Simple version 2.1.6 **Description** The issue is related to a lack of XSS filtering when adding a user group in the admin interface. This results in storage-type XSS generation via the `description` parameter in an addgroup action. **Recommendations** For CMS Made Simple version 2.1.6, consider disabling the addgroup functionality until a patch is available to prevent potential XSS exploitation. Restrict access to the admin/addgroup.php page to minimize the risk of exploitation. Avoid using the `description` parameter in the addgroup action until the issue is resolved.