#php

Cross Site Scripting (XSS) vulnerability in Kalkun 0.8.0 via username input in file User_model.php.

Cross Site Scripting (XSS) vulnerability in InventorySystem thru commit e08fbbe17902146313501ed0b5feba81d58f455c (on Apr 23, 2021) via edit_store_name and edit_active inputs in file InventorySystem.php.

Cross Site Scripting (XSS) vulnerability in craigrodway classroombookings 2.6.4 allows attackers to execute arbitrary code or other unspecified impacts via the input bgcol in file Weeks.php.

Cross Site Scripting (XSS) vulnerability in Ecommerce-CodeIgniter-Bootstrap thru commit d5904379ca55014c5df34c67deda982c73dc7fe5 (on Dec 27, 2022), allows attackers to execute arbitrary code via the languages and trans_load parameters in file add_product.php.

SQL Injection vulnerability in RemoteClinic 2.0 allows attackers to execute arbitrary commands and gain sensitive information via the id parameter to /medicines/profile.php.

Multiple SQL Injection vulnerabilies in tourist5 Online-food-ordering-system 1.0.

### Impact The `Cake\Database\Query::limit()` and `Cake\Database\Query::offset()` methods are vulnerable to SQL injection if passed un-sanitized user request data. ### Patches This issue has been fixed in 4.2.12, 4.3.11, 4.4.10 ### Workarounds Using CakePHP's Pagination library will mitigate this issue, as will validating or casting parameters to these methods. ### References https://bakery.cakephp.org/2023/01/06/cakephp_4211_4311_4410_released.html

Patient Record Management System version 1.0 suffers from an authentication bypass vulnerability during account recovery.

Inout Multi-Vendor Shopping Cart version 3.2.3 suffers from a remote SQL injection vulnerability.

Inout Multi-Vendor Shopping Cart version 3.2.3 suffers from a cross site scripting vulnerability.