1Dt.W0Lf

**Name of the Vulnerable Software and Affected Versions** ibProArcade versions 3.3.0 and earlier **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `g display order` cookie parameter in the "arcade.php" file. **Recommendations** For ibProArcade versions 3.3.0 and earlier, update to a version later than 3.3.0 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** SetCMS version 3.6.5 **Description** The issue allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the `set` parameter. This can be achieved by sending a certain CLIENT IP HTTP header in an enter action to "index.php", and injecting PHP sequences into "files/enter.set", which is then included by "index.php". **Recommendations** For SetCMS version 3.6.5, consider restricting access to the "index.php" file and avoid using the `set` parameter until a patch is available. As a temporary workaround, restrict write access to the "files/enter.set" file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** PHP-Nuke versions 8.0 FINAL and earlier **Description** The issue allows remote attackers to execute arbitrary SQL commands when magic quotes gpc is disabled. This can be achieved via the `sid` parameter in a comments action to "modules.php". **Recommendations** For PHP-Nuke versions 8.0 FINAL and earlier, consider disabling the comments action to modules.php or restricting access to it until a fix is available. Additionally, enabling magic quotes gpc can help mitigate the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Invision Gallery versions 2.0.7 and earlier **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `album` parameter in a "rate" command. **Recommendations** For versions 2.0.7 and earlier, update to a version later than 2.0.7 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Invision Power Board (IPB) versions 2.1 up to 2.1.6 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `CLIENT IP` parameter in the classes/class session.php file. **Recommendations** For Invision Power Board (IPB) versions 2.1 up to 2.1.6, consider restricting access to the `classes/class session.php` file until a patch is available. Avoid using the `CLIENT IP` parameter in the affected file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** DataLife Engine versions 4.1 and earlier **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved by using double-encoded values in the `user` parameter in a 'userinfo' subaction. **Recommendations** For DataLife Engine versions 4.1 and earlier, at the moment, there is no information about a newer version that contains a fix for this vulnerability.