Zerrr0

**Name of the Vulnerable Software and Affected Versions** Sourcecodester Best Courier Management System version 1.0 **Description** The issue concerns SQL Injection via the `id` parameter in the "/edit staff.php" API endpoint. This allows for potential exploitation. **Recommendations** For Sourcecodester Best Courier Management System version 1.0, consider restricting access to the "/edit staff.php" endpoint until a patch is available. As a temporary workaround, avoid using the `id` parameter in the affected endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Sourcecodester Best Courier Management System version 1.0 **Description** The issue concerns an arbitrary file upload vulnerability in the `update user` function. This allows for potential malicious file uploads. No information is provided about the estimated number of potentially affected devices worldwide or real-world incidents where this issue was exploited. **Recommendations** For Sourcecodester Best Courier Management System version 1.0, consider disabling the `update user` function until a patch is available to prevent arbitrary file uploads. Restrict access to file upload features to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Sourcecodester Best Courier Management System version 1.0 **Description** The issue is related to SQL Injection, which occurs via the `id` parameter in the "/edit branch.php" API endpoint. This allows for potential exploitation. No information is provided about the estimated number of affected devices or real-world incidents. **Recommendations** For Sourcecodester Best Courier Management System version 1.0, consider restricting access to the "/edit branch.php" endpoint to minimize the risk of exploitation. Avoid using the `id` parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Sourcecodester Best Courier Management System version 1.0 **Description** The issue is related to SQL Injection via the parameter `id` in the "/edit user.php" API endpoint. This allows for potential exploitation. No information is provided about the estimated number of potentially affected devices worldwide or real-world incidents where this issue was exploited. **Recommendations** For Sourcecodester Best Courier Management System version 1.0, as a temporary workaround, consider restricting access to the "/edit user.php" endpoint or avoiding the use of the `id` parameter until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Online Ordering System version 2.3.2 **Description** The issue allows attackers to execute arbitrary code via a crafted PHP file, exploiting an arbitrary file upload vulnerability in the `/admin/products/controller.php?action=add` component. **Recommendations** For Online Ordering System version 2.3.2, consider disabling the `/admin/products/controller.php?action=add` component until a patch is available to prevent arbitrary file uploads and subsequent code execution. Restrict access to this component to minimize the risk of exploitation. Avoid using this component with untrusted input until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Online Ordering System version 2.3.2 **Description** A SQL injection issue was found in the Online Ordering System via the `user email` parameter at the "/admin/login.php" API endpoint. **Recommendations** For Online Ordering System version 2.3.2, update to a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Garage Management System version 1.0 **Description** The issue allows attackers to execute arbitrary code via a crafted PHP file, exploiting an arbitrary file upload vulnerability in the /php action/createProduct.php component. **Recommendations** For Garage Management System version 1.0, consider removing or restricting access to the /php action/createProduct.php component until a fix is available, and avoid using this component to upload files from untrusted sources.

**Name of the Vulnerable Software and Affected Versions** OpenSIS Classic version 8.0 **Description** The issue is due to a lack of protection, allowing the `student id` parameter in the "/modules/eligibility/Student.php" endpoint to be used for injecting SQL queries, which can extract information from databases. **Recommendations** For OpenSIS Classic version 8.0, consider restricting access to the "/modules/eligibility/Student.php" endpoint to minimize the risk of exploitation. As a temporary workaround, avoid using the `student id` parameter in this endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.