0U7 5M4R7

**Name of the Vulnerable Software and Affected Versions** iScripts AutoHoster version 2.4 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This can be achieved via the `cmbdomain` parameter to API endpoints such as "/checktransferstatus.php", "/checktransferstatusbck.php", or "/additionalsettings.php"; or the `invno` parameter to "/payinvoiceothers.php". **Recommendations** For iScripts AutoHoster version 2.4, avoid using the `cmbdomain` parameter in the affected API endpoints and the `invno` parameter in "/payinvoiceothers.php" until the issue is resolved. Consider restricting access to these endpoints to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** iScripts AutoHoster version 2.4 **Description** The issue concerns multiple directory traversal vulnerabilities. These vulnerabilities allow remote attackers to read arbitrary files via specific parameters in various PHP files. The affected parameters include `tmpid` in "websitebuilder/showtemplateimage.php", `fname` in "admin/downloadfile.php", and `id` in "support/admin/csvdownload.php". Additionally, there is an unspecified impact via unspecified vectors in "support/parser/main smtp.php". **Recommendations** For iScripts AutoHoster version 2.4, consider restricting access to the vulnerable parameters `tmpid`, `fname`, and `id` in their respective PHP files until a patch is available. As a temporary workaround, avoid using these parameters in the affected API endpoints. Also, restrict access to "support/parser/main smtp.php" to minimize the risk of exploitation.