#auth

Unauthenticated attackers can exploit a weakness in the password reset functionality of the Visual Planning application in order to obtain access to arbitrary user accounts including administrators. In case administrative (in the context of Visual Planning) accounts are compromised, attackers can install malicious modules into the application to take over the application server hosting the Visual Planning application. All versions prior to Visual Planning 8 (Build 240207) are affected.

A wildcard injection inside a prepared SQL statement was found in an undocumented Visual Planning 8 REST API route. The combination of fuzzy matching (via LIKE operator) and user-controlled input allows exfiltrating the REST API key based on distinguishable server responses. If exploited, attackers are able to gain administrative access to the REST API version 2.0.

Feng Office version 3.10.8.21 suffers from a persistent cross site scripting vulnerability.

DerbyNet 9.0 suffers from a remote SQL injection vulnerability in print/render/racer.inc.

DerbyNet 9.0 suffers from a remote SQL injection vulnerability in print/render/award.inc.

DerbyNet 9.0 suffers from a remote SQL injection vulnerability in ajax/query.slide.next.inc.

DerbyNet version 9.0 suffers from a cross site scripting vulnerability in playlist.php.

DerbyNet version 9.0 suffers from a cross site scripting vulnerability in photo.php.

Seo Panel version 4.7.0 suffers from a cross site scripting vulnerability.

Human Resource Management System 2024 version 1.0 suffers from a remote SQL injection vulnerability.