Benjilenoob

**Name of the Vulnerable Software and Affected Versions** MyStats versions 1.0.8 and earlier **Description** The issue concerns multiple cross-site scripting (XSS) vulnerabilities. These vulnerabilities allow remote attackers to inject arbitrary web script or HTML via the `connexion`, `by`, and `details` parameters in the mystats.php file. **Recommendations** For MyStats versions 1.0.8 and earlier, consider restricting access to the mystats.php file until a fix is available. As a temporary workaround, avoid using the `connexion`, `by`, and `details` parameters in the mystats.php file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** MyStats versions 1.0.8 and earlier **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `details` parameter in the "mystats.php" file. **Recommendations** For MyStats versions 1.0.8 and earlier, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** MyStats versions 1.0.8 and earlier **Description** The issue allows remote attackers to obtain the installation path, probably resulting in a path disclosure in an error message. This is achieved via the `details` and by array parameters in the `mystats.php` file. **Recommendations** For MyStats versions 1.0.8 and earlier, consider restricting access to the `mystats.php` file until a patch is available. As a temporary workaround, avoid using the `details` and array parameters in the `mystats.php` file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** ProjectBB version 0.4.5.1 **Description** The issue allows remote attackers to inject arbitrary web script or HTML via several parameters, including the `pages` parameter to "divers.php", the search feature text area, `forum name`, `site name`, `maximum avatar size` in the option section, `new category`, or `new forum` fields in the forum section. **Recommendations** For ProjectBB version 0.4.5.1, as a temporary workaround, consider restricting user input in the mentioned fields to minimize the risk of exploitation. Avoid using the vulnerable parameters in the affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ProjectBB version 0.4.5.1 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This can be achieved via various parameters and fields, including `liste` or `desc` parameters to "divers.php", the search feature text area, post name in the post creation feature, `City`, `Homepage`, `ICQ`, `AOL`, `Yahoo!`, `MSN`, or `e-mail` fields in the profile feature, and the `new` field in the moderator section. **Recommendations** For ProjectBB version 0.4.5.1, as a temporary workaround, consider restricting access to the "divers.php" endpoint and limiting user input in the search feature, post creation, profile, and moderator sections to minimize the risk of exploitation. Avoid using the `liste` and `desc` parameters in the "divers.php" endpoint until the issue is resolved. Additionally, restrict user input in the `City`, `Homepage`, `ICQ`, `AOL`, `Yahoo!`, `MSN`, `e-mail`, and `new` fields. At the moment, there is no information about a newer version that contains a fix for this issue.