Alberto Trivero

**Name of the Vulnerable Software and Affected Versions** Citrix XenCenterWeb (affected versions not specified) **Description** The issue concerns multiple cross-site scripting (XSS) vulnerabilities in sample code within the XenServer Resource Kit in Citrix XenCenterWeb. These vulnerabilities allow remote attackers to inject arbitrary web script or HTML via several parameters, including the `username` parameter to "config/edituser.php", the `location`, `sessionid`, and `vmname` parameters to "console.php", the `vmrefid` and `vmname` parameters to "forcerestart.php", and the `vmname` and `vmrefid` parameters to "forcesd.php". **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Citrix XenCenterWeb (affected versions not specified) **Description** A static code injection issue exists in the sample code of the XenServer Resource Kit in Citrix XenCenterWeb. This allows remote attackers to inject arbitrary PHP code into include/config.ini.php via the `pool1` parameter. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Citrix XenCenterWeb (affected versions not specified) **Description** The issue concerns multiple cross-site request forgery (CSRF) vulnerabilities in sample code within the XenServer Resource Kit in Citrix XenCenterWeb. These vulnerabilities allow remote attackers to hijack the authentication of administrators. This can be achieved through requests that change the password via the `username` parameter to "config/changepw.php" or stop a virtual machine via the `stop vmname` parameter to "hardstopvm.php". **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Citrix XenCenterWeb (affected versions not specified) **Description** A SQL injection issue exists in the login.php file of the XenServer Resource Kit sample code in Citrix XenCenterWeb, allowing remote attackers to execute arbitrary SQL commands via the `username` parameter. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: ASP Nuke version 0.80 Description: The issue allows remote attackers to inject arbitrary web script or HTML, potentially leading to cross-site scripting attacks. This can be achieved through various parameters in different ASP files, including `email` in `forgot password.asp`, and `FirstName`, `LastName`, `Username`, `Password`, `Address1`, `Address2`, `City`, `ZipCode`, `Email` in `register.asp`. Recommendations: For ASP Nuke version 0.80, as a temporary workaround, consider validating and sanitizing user input for the `email` parameter in `forgot password.asp` and the `FirstName`, `LastName`, `Username`, `Password`, `Address1`, `Address2`, `City`, `ZipCode`, `Email` parameters in `register.asp` to prevent injection of malicious scripts. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: ASP Nuke version 0.80 Description: The issue allows remote attackers to execute arbitrary SQL statements. This is achieved via the `TaskID` parameter in the comment post.asp file. Recommendations: For ASP Nuke version 0.80, avoid using the `TaskID` parameter in the comment post.asp file until the issue is resolved. Consider restricting access to the comment post.asp file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: ASP Nuke version 0.80 Description: The issue allows remote attackers to spoof web content and poison web caches. This is achieved by injecting CRLF ("%0d%0a") sequences in the `LangCode` parameter of the language select.asp page, specifically the `/language select.asp` endpoint. Recommendations: For ASP Nuke version 0.80, avoid using the `LangCode` parameter in the language select.asp page until the issue is resolved. As a temporary workaround, consider restricting access to the language select.asp page to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Ultimate PHP Board (UPB) versions 1.9.6 GOLD and earlier **Description** The issue allows remote attackers to inject arbitrary web script or HTML via several parameters in different PHP files, including the `ref` parameter to "login.php", `id` or `page` parameter to "viewtopic.php", `id` parameter to "profile.php", "newpost.php", "email.php", "icq.php", or "aol.php", `t id` parameter to "newpost.php", `ref` parameter to "getpass.php", or `sText` parameter to "search.php". **Recommendations** For Ultimate PHP Board (UPB) versions 1.9.6 GOLD and earlier, consider disabling the affected parameters, such as `ref`, `id`, `page`, `t id`, and `sText`, in the respective PHP files until a patch is available. Restrict access to the vulnerable PHP files, including "login.php", "viewtopic.php", "profile.php", "newpost.php", "email.php", "icq.php", "aol.php", "getpass.php", and "search.php", to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Ultimate PHP Board (UPB) version 1.9.6 GOLD **Description** The issue allows remote attackers to obtain sensitive information by providing an invalid `id` parameter, set to zero, to specific API endpoints, including "viewtopic.php", "profile.php", or "newpost.php". This action reveals the path in an error message. **Recommendations** For Ultimate PHP Board (UPB) version 1.9.6 GOLD, consider validating the `id` parameter to prevent the disclosure of sensitive information. As a temporary workaround, restrict access to the "viewtopic.php", "profile.php", and "newpost.php" endpoints to minimize the risk of exploitation. Avoid using the `id` parameter with a value of zero in these endpoints until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Ultimate PHP Board (UPB) versions 1.9.6 GOLD and earlier **Description** The issue allows remote attackers to obtain sensitive information on registered users due to insufficient access control of the users.dat file, which is stored under the web document root. This can be achieved via a direct request to 'db/users.dat'. **Recommendations** For Ultimate PHP Board (UPB) versions 1.9.6 GOLD and earlier, consider restricting access to the 'db/users.dat' file to prevent unauthorized access until a proper fix is applied. As a temporary workaround, moving the users.dat file outside of the web document root or implementing proper access controls can help mitigate the risk.

**Name of the Vulnerable Software and Affected Versions** Ultimate PHP Board (UPB) version 1.9.6 GOLD **Description** The issue concerns weak encryption used for passwords in the users.dat file. This weakness allows attackers to easily decrypt the passwords, potentially gaining privileges. **Recommendations** For Ultimate PHP Board (UPB) version 1.9.6 GOLD, update the password encryption method to a stronger one to prevent easy decryption by attackers.

**Name of the Vulnerable Software and Affected Versions** MyBB version 1.00 RC4 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This can be achieved via various parameters in different PHP files, including the `eid` parameter to "calendar.php", the `idsql` parameter to "online.php", the `usersearch` parameter to "memberlist.php", the `pid` parameter to "editpost.php", the `fid` parameter to "forumdisplay.php", the `tid` parameter to "newreply.php", the `sid` parameter to "search.php", the `tid` or `pid` parameter to "showthread.php", the `tid` parameter to "usercp2.php", the `tid` parameter to "printthread.php", or the `pid` parameter to "reputation.php". **Recommendations** For MyBB version 1.00 RC4, consider disabling the parameters `eid`, `idsql`, `usersearch`, `pid`, `fid`, `tid`, and `sid` in their respective PHP files until a patch is available. Restrict access to the vulnerable PHP files, such as "calendar.php", "online.php", "memberlist.php", "editpost.php", "forumdisplay.php", "newreply.php", "search.php", "showthread.php", "usercp2.php", "printthread.php", and "reputation.php", to minimize the risk of exploitation. Avoid using these parameters in the affected API endpoints until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** MyBB versions 1.00 RC4 and earlier **Description** The issue allows remote attackers to execute arbitrary web script or HTML. This can be achieved via various parameters, including `forums`, `version`, `limit` to "misc.php", `page`, `datecut` to "forumdisplay.php", `username`, `email`, `email2` to "member.php", `page`, `usersearch` to "memberlist.php", `pid`, `tid` to "showthread.php", or `tid` to "printthread.php". **Recommendations** For MyBB versions 1.00 RC4 and earlier, consider disabling the affected parameters to mitigate the risk of exploitation until a patch is available. Restrict access to the vulnerable API endpoints, such as "misc.php", "forumdisplay.php", "member.php", "memberlist.php", "showthread.php", and "printthread.php", to minimize the risk of exploitation. Avoid using the vulnerable parameters, including `forums`, `version`, `limit`, `page`, `datecut`, `username`, `email`, `email2`, `pid`, `tid`, and `usersearch`, in the affected API endpoints until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** myBloggie version 2.1.1 **Description** The issue allows remote attackers to delete arbitrary comments by modifying the `comment id` parameter in the delcomment.php file. **Recommendations** For myBloggie version 2.1.1, consider restricting access to the delcomment.php file until a patch is available. As a temporary workaround, avoid using the `comment id` parameter in the delcomment.php file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** myBloggie version 2.1.1 **Description** The issue allows remote attackers to inject arbitrary web script or HTML via several parameters in viewmode.php and index.php, which are not properly sanitized before being displayed in an error message. Specifically, the `year` parameter in viewmode.php and the `cat id`, `month no`, and `post id` parameters in index.php are vulnerable. **Recommendations** For myBloggie version 2.1.1, consider disabling the vulnerable parameters `year`, `cat id`, `month no`, and `post id` in viewmode.php and index.php until a patch is available. Restrict access to the error messages that display these parameters to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** myBloggie versions 2.1.1 through 2.1.3 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This can be achieved via several parameters in different modes, including the `keyword` parameter in "search.php", the `date no` parameter in viewdate mode, the `cat id` parameter in viewcat mode, the `month no` or `year` parameter in viewmonth mode, or the `post id` parameter in viewid mode to "index.php". **Recommendations** For myBloggie versions 2.1.1 through 2.1.3, consider restricting access to the vulnerable parameters `keyword`, `date no`, `cat id`, `month no`, `year`, and `post id` in their respective modes until a patch is available. As a temporary workaround, avoid using these parameters in the affected API endpoints. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** myBloggie version 2.1.1 **Description** The issue allows remote attackers to obtain sensitive information via an invalid `post id` parameter in the "index.php" endpoint, which reveals the path in an error message. **Recommendations** For myBloggie version 2.1.1, consider restricting access to the "index.php" endpoint until a patch is available, or avoid using the `post id` parameter in this endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** phpBB Topic Calendar module version 1.0.1 **Description** The issue is related to a cross-site scripting (XSS) vulnerability. This vulnerability allows remote attackers to inject arbitrary web script or HTML via the `start` parameter in the calendar scheduler.php file. **Recommendations** For version 1.0.1, update the module to a version that fixes this issue, ensuring the `start` parameter is properly sanitized to prevent XSS attacks.

**Name of the Vulnerable Software and Affected Versions** phpBB Topic Calendar module version 1.0.1 **Description** The issue allows remote attackers to obtain sensitive information via invalid parameters, which reveal the path in an error message when running on a Microsoft IIS server. **Recommendations** For version 1.0.1, consider restricting access to the calendar scheduler.php file until a patch is available. Avoid using invalid parameters in the affected API endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** MercuryBoard version 1.1.1 **Description** The issue allows remote attackers to gain sensitive information via an HTTP request with the `n` parameter set to 0. This causes a divide-by-zero error and reveals the path in the resulting error message. **Recommendations** For MercuryBoard version 1.1.1, consider restricting access to the HTTP endpoint that processes the `n` parameter to minimize the risk of exploitation. As a temporary workaround, avoid using the `n` parameter with a value of 0 in HTTP requests until a patch is available.