Zeyad Alshahrani

**Name of the Vulnerable Software and Affected Versions** Koha versions prior to 24.11.02 **Description** The issue allows SQL injection in /serials/lateissues-export.pl via the `supplierid` or `serialid` parameter. This could let attackers access sensitive data, tamper with records, or wipe out databases entirely. A remote attacker without privileges can cause remote code execution. It is estimated that over 39,000 results are found to be potentially vulnerable. **Recommendations** For versions prior to 24.11.02, update to version 24.11.02 or later to protect sensitive data. As a temporary workaround, consider restricting access to the `/serials/lateissues-export.pl` endpoint until a patch is available. Avoid using the `supplierid` or `serialid` parameters in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** The Shared Files WordPress plugin versions prior to 1.7.6 **Description** The issue arises from the plugin not returning the correct Content-Type header for uploaded files, allowing an attacker to upload files with allowed extensions that contain malicious scripts. **Recommendations** For versions prior to 1.7.6, update to version 1.7.6 or later to resolve the issue. As a temporary workaround, consider restricting file uploads to trusted users or disabling the file upload feature until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Drag and Drop Multiple File Upload for WooCommerce WordPress plugin versions prior to 1.1.1 **Description** The issue allows an attacker to upload unsafe files, including .shtml or .svg files, which can contain malicious scripts. This is due to the plugin not filtering all potentially dangerous file extensions. **Recommendations** For versions prior to 1.1.1, update to version 1.1.1 or later to resolve the issue. As a temporary workaround, consider restricting file uploads to only trusted users or disabling the file upload feature until the update is applied.