Yingxiujie

**Name of the Vulnerable Software and Affected Versions** CodeAstro Online Catering Ordering System version 1.0 **Description** Remote SQL injection is possible via the manipulation of the `ID` argument in the '/deleteorder.php' endpoint. SQL injection is a technique where malicious SQL statements are inserted into entry fields for execution, potentially allowing unauthorized access to or modification of the database. **Recommendations** Avoid using the `ID` parameter in the '/deleteorder.php' endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** CodeAstro Leave Management System version 1.0 **Description** A weakness in the `/login.php` file allows for remote SQL injection. This occurs through the manipulation of the `txt username` argument. SQL injection is a type of flaw that allows an attacker to interfere with the queries that an application makes to its database. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, restrict access to the `/login.php` file or sanitize the `txt username` input to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** rawchen sims versions prior to 004f783b1db5ecdfad81c8fdc3b34171211112de **Description** A path traversal flaw exists in the 'deleteFileServlet' endpoint within the file `sims-master/src/web/servlet/file/DeleteFileServlet.java`. A remote attacker can exploit this by manipulating the `filename` argument. Path traversal is a technique that allows an attacker to access files and directories that are stored outside the web root folder by manipulating variables that reference files with dot-dot-slash (../) sequences. **Recommendations** Update to a version later than 004f783b1db5ecdfad81c8fdc3b34171211112de. As a temporary workaround, restrict access to the 'deleteFileServlet' endpoint or avoid using the `filename` parameter until a patch is applied.

Name of the Vulnerable Software and Affected Versions perfree go-fastdfs-web versions up to 1.3.7 Description A security issue exists in perfree go-fastdfs-web up to version 1.3.7, specifically within the `doInstall` interface of the file src/main/java/com/perfree/controller/InstallController.java. This results in improper authorization, and the attack can be initiated remotely. The exploit has been publicly disclosed. Recommendations Update to a version later than 1.3.7.