Aliaksandr Hartsuyeu

**Name of the Vulnerable Software and Affected Versions** AXScripts AxsLinks version 0.3 **Description** The issue concerns multiple cross-site scripting (XSS) vulnerabilities. These vulnerabilities allow remote attackers to inject arbitrary web script or HTML via the `url` or `title` parameters in the addlink.php file. **Recommendations** For AXScripts AxsLinks version 0.3, avoid using the `url` and `title` parameters in the addlink.php file until a fix is available. As a temporary workaround, consider validating and sanitizing user input for these parameters to prevent malicious script injection.

**Name of the Vulnerable Software and Affected Versions** PHP Web Scripts Easy Banner Free version 2009.05.18 **Description** The issue concerns SQL injection vulnerabilities in the member.php file of PHP Web Scripts Easy Banner Free. When magic quotes gpc is disabled, remote attackers can execute arbitrary SQL commands by manipulating the `username` and `password` parameters. **Recommendations** For PHP Web Scripts Easy Banner Free version 2009.05.18, consider disabling the member.php file or restricting access to it until a patch is available. As a temporary workaround, enable magic quotes gpc to prevent SQL injection attacks via the `username` and `password` parameters. Avoid using the `username` and `password` parameters in the affected member.php file until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** PHP Web Scripts Easy Banner Free version 2009.05.18 **Description** The issue concerns multiple cross-site scripting (XSS) vulnerabilities. These vulnerabilities allow remote attackers to inject arbitrary web script or HTML via the `siteurl` and `urlbanner` parameters in index.php when magic quotes gpc is disabled. **Recommendations** For PHP Web Scripts Easy Banner Free version 2009.05.18, consider disabling the `siteurl` and `urlbanner` parameters in index.php until a patch is available, or enable magic quotes gpc to prevent exploitation. Avoid using the `siteurl` and `urlbanner` parameters in the affected index.php file until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** WSN Guest version 1.24 **Description** A SQL injection issue exists in the member function in classes/member.php, allowing remote attackers to execute arbitrary SQL commands via the `wsnuser` cookie to "index.php". **Recommendations** For WSN Guest version 1.24, update to a version that fixes this issue, as using the `wsnuser` cookie to "index.php" can lead to arbitrary SQL command execution. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** AlGuest version 1.1c-patched **Description** The issue concerns multiple cross-site scripting (XSS) vulnerabilities. These vulnerabilities allow remote attackers to inject arbitrary web script or HTML via the `nome` (nickname), `messaggio` (message), and `link` (homepage) parameters in index.php. **Recommendations** For AlGuest version 1.1c-patched, as a temporary workaround, consider restricting user input for the `nome`, `messaggio`, and `link` parameters to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** MRCGIGUY (MCG) FreeTicket version 1.0.0 **Description** The issue allows remote attackers to execute arbitrary SQL commands due to multiple SQL injection vulnerabilities in the contact.php file. This occurs when the magic quotes gpc setting is disabled, and attackers can exploit the `id` and `email` parameters in a showtickets action. **Recommendations** For MRCGIGUY (MCG) FreeTicket version 1.0.0, consider disabling the showtickets action in contact.php until a patch is available, and ensure the magic quotes gpc setting is enabled to prevent SQL injection attacks. Restrict access to the `id` and `email` parameters to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** CloudNine Interactive CJ Tag Board version 3.0 **Description** The issue is related to a cross-site scripting (XSS) vulnerability. It allows remote attackers to inject arbitrary web script or HTML via a JavaScript event in a url BBcode tag in the `cjmsg` parameter. This could potentially lead to unauthorized actions on the affected system. **Recommendations** For CloudNine Interactive CJ Tag Board version 3.0, consider disabling the url BBcode tag in the `cjmsg` parameter as a temporary workaround until a patch is available. Restrict access to the tag.php file to minimize the risk of exploitation. Avoid using the `cjmsg` parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** NX5Linx version 1.0 **Description** A SQL injection issue allows remote attackers to execute arbitrary SQL commands by manipulating the `c` and `l` parameters. **Recommendations** For NX5Linx version 1.0, consider restricting access to the vulnerable parameters `c` and `l` to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** NX5Linx version 1.0 **Description** The issue allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a CRLF sequence in the `url` parameter. This is due to a CRLF injection vulnerability in the links.php file. **Recommendations** For NX5Linx version 1.0, consider restricting access to the links.php file or the `url` parameter to minimize the risk of exploitation until a patch is available. As a temporary workaround, avoid using the `url` parameter in the affected links.php file until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** NX5Linx version 1.0 **Description** A directory traversal issue exists, allowing remote attackers to read arbitrary files. This is achieved via the `logo` parameter in the link.php file. **Recommendations** For NX5Linx version 1.0, avoid using the `logo` parameter in the link.php file until a fix is available. Consider restricting access to the link.php file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Doika guestbook version 2.5 and possibly earlier **Description** A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via the `page` parameter in the gbook.php file. This could potentially lead to malicious actions on the affected system. **Recommendations** For Doika guestbook version 2.5 and possibly earlier, update to a version that fixes this issue, if available, or consider disabling the gbook.php file as a temporary workaround to prevent exploitation.

**Name of the Vulnerable Software and Affected Versions** CloudNine Interactive Links Manager version 2006-06-12 **Description** The issue concerns multiple cross-site scripting (XSS) vulnerabilities. These vulnerabilities allow remote attackers to inject arbitrary web script or HTML via the `title`, `description`, or `keywords` parameters in the add url.php file. **Recommendations** For CloudNine Interactive Links Manager version 2006-06-12, as a temporary workaround, consider restricting user input for the `title`, `description`, and `keywords` parameters in the add url.php file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** CityForFree indexcity version 1.0 **Description** The issue is related to a cross-site scripting (XSS) vulnerability. This vulnerability allows remote attackers to inject arbitrary web script or HTML via the `url` parameter in the add url2.php file. **Recommendations** For CityForFree indexcity version 1.0, consider restricting access to the add url2.php file or validating and sanitizing the `url` parameter to prevent injection of malicious scripts. As a temporary workaround, avoid using the `url` parameter in the affected file until a patch is available.

**Name of the Vulnerable Software and Affected Versions** CloudNine Interactive Links Manager version 2006-06-12 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is possible when the `magic quotes gpc` setting is disabled. The `nick` parameter is vulnerable to SQL injection. **Recommendations** For CloudNine Interactive Links Manager version 2006-06-12, consider disabling the `nick` parameter in the admin.php file until a patch is available. Additionally, enabling `magic quotes gpc` can help mitigate this issue.

**Name of the Vulnerable Software and Affected Versions** CityForFree indexcity version 1.0 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `cate id` parameter in the "list.php" file when the magic quotes gpc setting is disabled. **Recommendations** For CityForFree indexcity version 1.0, consider disabling the use of the `cate id` parameter in the list.php file until a patch is available, or enable magic quotes gpc to prevent SQL injection attacks.

**Name of the Vulnerable Software and Affected Versions** Newsadmin version 1.1 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `nid` parameter in the "readarticle.php" file. **Recommendations** For Newsadmin version 1.1, consider restricting access to the "readarticle.php" file until a patch is available, and avoid using the `nid` parameter in this file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** HB-NS version 1.1.6 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `topic` or `id` parameter in the index.php file. **Recommendations** For HB-NS version 1.1.6, update to a version that fixes the SQL injection vulnerabilities in the index.php file. As a temporary workaround, consider restricting access to the index.php file or validating and sanitizing the `topic` and `id` parameters to prevent malicious input.

**Name of the Vulnerable Software and Affected Versions** HB-NS version 1.1.6 **Description** The issue concerns multiple cross-site scripting (XSS) vulnerabilities in the index.php file. These vulnerabilities allow remote attackers to inject arbitrary web script or HTML via specific parameters, including `poster name`, `poster email`, `poster homepage`, and `message`. **Recommendations** For HB-NS version 1.1.6, as a temporary workaround, consider validating and sanitizing user input for the `poster name`, `poster email`, `poster homepage`, and `message` parameters to prevent XSS attacks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** AZNEWS (affected versions not specified) **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `ID` parameter in the "news.php" file. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** PHP Newsfeed version 20040723 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This can be achieved via various parameters to different PHP files, including the `name` parameter to 'deltables.php', `select`, `header`, `url`, `source`, or `time` parameters to 'manualsubmit.php', `num` parameter to 'delete.php', or `tablename` parameter to 'searchnews.php'. **Recommendations** For PHP Newsfeed version 20040723, consider restricting access to the vulnerable parameters, such as `name`, `select`, `header`, `url`, `source`, `time`, `num`, and `tablename`, in the respective PHP files until a patch is available. As a temporary workaround, avoid using these parameters in the affected API endpoints.