Alemin_Krali

**Name of the Vulnerable Software and Affected Versions** Full Revolution aspWebAlbum version 3.2 **Description** A cross-site scripting issue exists, allowing remote attackers to inject arbitrary web script or HTML. This is achieved via the `message` parameter in a summary action in the album.asp file. **Recommendations** For Full Revolution aspWebAlbum version 3.2, avoid using the `message` parameter in the summary action until a fix is available. As a temporary workaround, consider restricting access to the album.asp file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Full Revolution aspWebAlbum version 3.2 **Description** The issue allows remote attackers to execute arbitrary code by uploading a file with an executable extension to the `uploadmedia` action in `album.asp`, and then accessing it via a direct request to the file in the `pics/` directory. **Recommendations** For Full Revolution aspWebAlbum version 3.2, consider restricting or disabling the `uploadmedia` action in `album.asp` to prevent uploading files with executable extensions until a fix is available. Restrict access to the `pics/` directory to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Full Revolution aspWebCalendar 2008 **Description** The issue concerns an unrestricted file upload vulnerability. This vulnerability allows remote attackers to upload and execute arbitrary code via the `FILE1` parameter in an "uploadfileprocess" action, likely followed by a direct request to the file in "calendar/eventimages/". **Recommendations** For Full Revolution aspWebCalendar 2008, restrict access to the "uploadfileprocess" action and the "calendar/eventimages/" directory to prevent arbitrary code execution. Consider implementing validation and restrictions on file uploads to mitigate the risk of exploitation.