Cod3In

Name of the Vulnerable Software and Affected Versions: Netjuke versions 1.0-rc2 Description: The issue allows remote attackers to execute arbitrary SQL commands. This can be achieved via two different parameters: the `ge id` parameter in a "list.artists" action to "explore.php" or the `id` parameter in a "show.tracks" action to "xml.php". Recommendations: For Netjuke version 1.0-rc2, avoid using the `ge id` parameter in the "list.artists" action to "explore.php" and the `id` parameter in the "show.tracks" action to "xml.php" until a patch is available. As a temporary workaround, consider restricting access to the "explore.php" and "xml.php" files to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Netjuke versions 1.0-rc2 Description: The issue allows remote attackers to inject arbitrary web script or HTML. This can be achieved via the `val` parameter to "alphabet.php" in an "alpha.albums" action, or the PATH INFO to "random.php" or "admin/hidden.php". Recommendations: For Netjuke version 1.0-rc2, consider restricting access to the vulnerable API endpoints, specifically "alphabet.php", "random.php", and "admin/hidden.php", until a patch is available. Avoid using the `val` parameter in the "alphabet.php" endpoint with an "alpha.albums" action to minimize the risk of exploitation.