Cr@Zy_King

**Name of the Vulnerable Software and Affected Versions** Joomla! component com imagebrowser version 0.1.5 **Description** A directory traversal issue exists in the Image Browser component for Joomla!, allowing remote attackers to include and execute arbitrary local files. This is achieved by using a .. (dot dot) in the `folder` parameter to `index.php`. **Recommendations** For version 0.1.5, consider disabling the Image Browser component until a patch is available. Restrict access to the `index.php` file in the component to minimize the risk of exploitation. Avoid using the `folder` parameter in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** SiteAdmin (affected versions not specified) **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `art` parameter in the line2.php file. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ShopCart DX (affected versions not specified) **Description** The issue allows remote attackers to execute arbitrary SQL commands via the `pid` parameter in the product detail.php file. This can lead to unauthorized access and manipulation of sensitive data. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Kasseler CMS versions 1.3.0 through 1.3.1 Lite Description: A cross-site scripting issue exists, allowing remote attackers to inject arbitrary web script or HTML. This is achieved via the `cid` parameter in a Category action to "index.php". Recommendations: For versions 1.3.0 and 1.3.1 Lite, avoid using the `cid` parameter in the Category action to "index.php" until a fix is available. Consider restricting access to the Files module as a temporary mitigation measure.

Name of the Vulnerable Software and Affected Versions: Kasseler CMS version 1.3.0 Description: A directory traversal issue allows remote attackers to read arbitrary files by including a .. (dot dot) in the `file` parameter to "index.php", which may be related to the phpManual module. Recommendations: For Kasseler CMS version 1.3.0, consider restricting access to the "index.php" endpoint to minimize the risk of exploitation, and avoid using the `file` parameter until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** WebCalendar version 1.0.4 **Description** A remote file inclusion issue in send reminders.php allows remote attackers to execute arbitrary PHP code via a URL in the `includedir` parameter and a 0 value for the `noSet` parameter. **Recommendations** For WebCalendar version 1.0.4, as a temporary workaround, consider restricting access to the `send reminders.php` file until a patch is available. Avoid using the `includedir` parameter with untrusted input in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** CartKeeper CKGold Shopping Cart versions 2.5 through 2.7 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `category id` parameter in the "item.php" file. **Recommendations** For CartKeeper CKGold Shopping Cart versions 2.5 through 2.7, avoid using the `category id` parameter in the affected "item.php" file until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** pNews versions 2.08 and 2.10 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is possible due to a SQL injection vulnerability in the index.php file when the magic quotes gpc setting is disabled. The vulnerability can be exploited via the `shownews` parameter in the affected API endpoint "/index.php". **Recommendations** For versions 2.08 and 2.10, consider disabling the `shownews` parameter in the index.php file until a patch is available. Restrict access to the index.php file to minimize the risk of exploitation. Avoid using the `shownews` parameter in the affected endpoint until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: Mytipper ZoGo-shop plugin versions 1.15.5 through 1.16 Beta 13 Description: The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `cat` parameter in the products.php file. Recommendations: For Mytipper ZoGo-shop plugin versions 1.15.5 through 1.16 Beta 13, avoid using the `cat` parameter in the products.php file until a fix is available. Consider restricting access to the products.php file to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: WR-Meeting version 1.0 Description: The issue allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the `msnum` parameter in a coment event, when `magic quotes gpc` is disabled. This is related to a directory traversal vulnerability in the index.php file. Recommendations: For WR-Meeting version 1.0, consider disabling the `coment` event or restricting access to the `msnum` parameter until a patch is available. Additionally, enabling `magic quotes gpc` may help mitigate the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** XOOPS Article module (affected versions not specified) **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved by exploiting the `id` parameter in the article.php file. **Recommendations** For the affected version, consider restricting access to the article.php file until a patch is available. As a temporary workaround, avoid using the `id` parameter in the vulnerable endpoint.

**Name of the Vulnerable Software and Affected Versions** RunCMS MyArticles module version 0.6 beta-1 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved by exploiting the `topic id` parameter in a "listarticles" action within the topics.php file of the MyArticles module. **Recommendations** For MyArticles module version 0.6 beta-1, avoid using the `topic id` parameter in the "listarticles" action until the issue is resolved. As a temporary workaround, consider restricting access to the topics.php file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** VisualPic version 0.3.1 **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in the ` CONFIG[files][functions page]` parameter in the index.php file. **Recommendations** For VisualPic version 0.3.1, consider restricting access to the ` CONFIG[files][functions page]` parameter to minimize the risk of exploitation. Avoid using the ` CONFIG[files][functions page]` parameter in the index.php file until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** phpAddressBook version 2.11 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `id` parameter in the view.php file. **Recommendations** For phpAddressBook version 2.11, consider restricting access to the view.php file until a patch is available. As a temporary workaround, avoid using the `id` parameter in the affected file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** RunCMS (affected versions not specified) **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `artid` parameter in a "viewarticle" action, which is part of the sections (Section) module. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** phpComasy version 0.8 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `mod project id` parameter in a "project detail" action. **Recommendations** For phpComasy version 0.8, consider restricting access to the "project detail" action or validating and sanitizing the `mod project id` parameter to prevent SQL injection attacks.

**Name of the Vulnerable Software and Affected Versions** beContent version 0.3.1 **Description** A SQL injection issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `id` parameter in the news.php file. **Recommendations** For beContent version 0.3.1, avoid using the `id` parameter in the news.php file until a fix is available. Consider restricting access to the news.php file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Husrev BlackBoard version 2.0.2 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `forumid` parameter in the "philboard forum.asp" file. **Recommendations** For Husrev BlackBoard version 2.0.2, consider restricting access to the `philboard forum.asp` file until a patch is available, and avoid using the `forumid` parameter in this file to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: myPHPCalendar version 10.1 Description: The issue allows remote attackers to execute arbitrary PHP code via a URL in the `cal dir` parameter to API endpoints such as "admin.php", "contacts.php", or "convert-date.php". Recommendations: For myPHPCalendar version 10.1, consider restricting access to the "admin.php", "contacts.php", and "convert-date.php" API endpoints to minimize the risk of exploitation. Avoid using the `cal dir` parameter in these endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this issue.