Cr4Wl3R

**Name of the Vulnerable Software and Affected Versions** Project Man versions 1.0 and earlier **Description** The issue allows remote attackers to execute arbitrary SQL commands. This can be achieved via the `username` or `password` parameter in the "login.php" file. **Recommendations** For Project Man versions 1.0 and earlier, update to a version later than 1.0 to resolve the issue. As a temporary workaround, consider restricting access to the "login.php" file until a patch is available. Avoid using the `username` and `password` parameters in the affected "login.php" file until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** ProMan versions 0.1.1 and earlier **Description** The issue allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the ` SESSION[userLang]` parameter to several API endpoints, including "elisttasks.php", "managepmanagers.php", "manageusers.php", "helpfunc.php", "managegroups.php", "manageprocess.php", and "manageusersgroups.php". **Recommendations** For ProMan versions 0.1.1 and earlier, as a temporary workaround, consider restricting access to the vulnerable API endpoints until a patch is available. Avoid using the ` SESSION[userLang]` parameter in the affected endpoints to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ProMan versions 0.1.1 and earlier **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in the `page` parameter in the ` center.php` file. **Recommendations** For ProMan versions 0.1.1 and earlier, consider restricting access to the ` center.php` file until a patch is available. Avoid using the `page` parameter in the affected URL until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** HazelPress Lite versions 0.0.4 and earlier **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is possible via the `username` and `password` fields in the login.php file. **Recommendations** For HazelPress Lite versions 0.0.4 and earlier, consider disabling the login functionality until a patch is available. Restrict access to the login.php file to minimize the risk of exploitation. Avoid using the `username` and `password` fields in the login.php file until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** OpenMairie Opencatalogue version 1.024 **Description** A directory traversal issue exists when the register globals setting is enabled, allowing remote attackers to include and execute arbitrary local files. This is achieved by using directory traversal sequences in the `dsn[phptype]` parameter. **Recommendations** For OpenMairie Opencatalogue version 1.024, consider disabling the register globals setting to prevent exploitation. Additionally, restrict access to the `soustab.php` file and avoid using directory traversal sequences in the `dsn[phptype]` parameter until a fix is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** openMairie Openregistrecil version 1.02 **Description** A directory traversal issue exists in the scr/soustab.php file of openMairie Openregistrecil. When register globals is enabled, remote attackers can include and execute arbitrary local files by using directory traversal sequences in the `dsn[phptype]` parameter. **Recommendations** For openMairie Openregistrecil version 1.02, consider disabling the register globals setting to mitigate the risk of exploitation. Additionally, restrict access to the scr/soustab.php file and avoid using the `dsn[phptype]` parameter with untrusted input until a fix is available.

**Name of the Vulnerable Software and Affected Versions** openMairie Openregistrecil version 1.02 **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in the `path om` parameter to various PHP files, including `autorisation normale.class.php`, `collectivite.class.php`, `dossier.class.php`, `norme simplifiee.class.php`, `registre.class.php`, `autorisation unique.class.php`, `demande avis.class.php`, `droit.class.php`, `organisme.class.php`, `service.class.php`, `categorie donnee.class.php`, `destinataire.class.php`, `profil.class.php`, `tabdyn visu.class.php`, `categorie personne.class.php`, `dispense.class.php`, `modificatif.class.php`, `reference.class.php`, and `utilisateur.class.php` in the `obj/` directory. This can occur when `register globals` is enabled. **Recommendations** For openMairie Openregistrecil version 1.02, consider disabling the `register globals` setting to prevent exploitation. Additionally, restrict access to the vulnerable PHP files in the `obj/` directory until a patch is available. Avoid using the `path om` parameter in the affected API endpoints until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** openMairie Openfoncier version 2.00 **Description** A directory traversal issue exists when the `register globals` setting is enabled, allowing remote attackers to include and execute arbitrary local files. This is achieved by using directory traversal sequences in the `dsn[phptype]` parameter. **Recommendations** For openMairie Openfoncier version 2.00, consider disabling the `register globals` setting to prevent exploitation. Additionally, restrict access to the `soustab.php` file to minimize the risk of arbitrary file inclusion. Avoid using the `dsn[phptype]` parameter with untrusted input until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** openMairie Openfoncier version 2.00 **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in the `path om` parameter to several PHP files, including "action.class.php", "architecte.class.php", "avis.class.php", "bible.class.php", and "blocnote.class.php" in the "obj/" directory, when `register globals` is enabled. **Recommendations** For openMairie Openfoncier version 2.00, consider disabling the `register globals` setting to prevent exploitation. Additionally, restrict access to the vulnerable PHP files in the "obj/" directory until a patch is available. As a temporary workaround, avoid using the `path om` parameter in the affected API endpoints until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** openMairie openCimetiere version 2.01 **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in the `path om` parameter to various PHP files, including `autorisation.class.php`, `courrierautorisation.class.php`, `droit.class.php`, `profil.class.php`, `temp defunt sansemplacement.class.php`, `utils.class.php`, `cimetiere.class.php`, `defunt.class.php`, `emplacement.class.php`, `tab emplacement.class.php`, `temp emplacement.class.php`, `voie.class.php`, `collectivite.class.php`, `defunttransfert.class.php`, `entreprise.class.php`, `temp autorisation.class.php`, `travaux.class.php`, `zone.class.php`, `courrier.class.php`, `dossier.class.php`, `plans.class.php`, `temp defunt.class.php`, and `utilisateur.class.php` in the `obj/` directory. This can occur when `register globals` is enabled. **Recommendations** As a temporary workaround, consider disabling the `register globals` setting until a patch is available. Restrict access to the vulnerable PHP files in the `obj/` directory to minimize the risk of exploitation. Avoid using the `path om` parameter in the affected PHP files until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** OpenMairie openAnnuaire version 2.00 **Description** A directory traversal issue exists when the register globals setting is enabled, allowing remote attackers to include and execute arbitrary local files. This is achieved through directory traversal sequences in the `dsn[phptype]` parameter. **Recommendations** For OpenMairie openAnnuaire version 2.00, consider disabling the register globals setting to mitigate the risk of exploitation. Additionally, restrict access to the `soustab.php` file to minimize the risk of arbitrary file inclusion. Avoid using the `dsn[phptype]` parameter in the affected script until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** OpenMairie openAnnuaire version 2.00 **Description** The issue allows remote attackers to execute arbitrary PHP code when register globals is enabled. This is achieved by providing a URL in the `path om` parameter to various PHP files, including `annuaire.class.php`, `droit.class.php`, `collectivite.class.php`, `profil.class.php`, `direction.class.php`, `service.class.php`, `directiongenerale.class.php`, and `utilisateur.class.php` in the obj/ directory. **Recommendations** For OpenMairie openAnnuaire version 2.00, consider disabling the register globals setting to prevent exploitation. Additionally, restrict access to the affected PHP files in the obj/ directory until a patch is available. Avoid using the `path om` parameter in the affected API endpoints until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** openMairie Openpresse version 1.01 **Description** A directory traversal issue exists when the register globals setting is enabled, allowing remote attackers to include and execute arbitrary local files. This is achieved by using directory traversal sequences in the `dsn[phptype]` parameter. **Recommendations** For openMairie Openpresse version 1.01, consider disabling the register globals setting to prevent exploitation. As a temporary workaround, restrict access to the `soustab.php` file until a patch is available. Avoid using the `dsn[phptype]` parameter in the affected script until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** openMairie openComInterne version 1.01 **Description** A directory traversal issue exists when the register globals setting is enabled, allowing remote attackers to include and execute arbitrary local files. This is achieved by using directory traversal sequences in the `dsn[phptype]` parameter. **Recommendations** For openMairie openComInterne version 1.01, consider disabling the register globals setting to mitigate the risk of exploitation. Additionally, restrict access to the `soustab.php` file to minimize the risk of arbitrary file inclusion. Avoid using the `dsn[phptype]` parameter in the affected script until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** openMairie openPlanning version 1.00 **Description** A directory traversal issue exists when the register globals setting is enabled, allowing remote attackers to include and execute arbitrary local files. This is achieved by using directory traversal sequences in the `dsn[phptype]` parameter. **Recommendations** For openMairie openPlanning version 1.00, consider disabling the register globals setting to mitigate the risk of exploitation. Additionally, restrict access to the `soustab.php` file to minimize the risk of arbitrary file inclusion. Avoid using the `dsn[phptype]` parameter with untrusted input until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** openMairie openPlanning version 1.00 **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in the `path om` parameter to several PHP files, including `categorie.class.php`, `profil.class.php`, `collectivite.class.php`, `ressource.class.php`, `droit.class.php`, `utilisateur.class.php`, and `planning.class.php` in the `obj/` directory, when `register globals` is enabled. **Recommendations** For openMairie openPlanning version 1.00, consider disabling the `register globals` setting to prevent exploitation. Additionally, restrict access to the vulnerable PHP files in the `obj/` directory until a patch is available. Avoid using the `path om` parameter in the affected API endpoints until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** openMairie openCourrier versions 2.02 through 2.03 beta **Description** The issue allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the `dsn[phptype]` parameter when `register globals` is enabled. **Recommendations** For openMairie openCourrier versions 2.02 through 2.03 beta, consider disabling the `register globals` setting to mitigate the risk of exploitation. Avoid using the `dsn[phptype]` parameter in the affected script until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** openMairie openCourrier versions 2.02 through 2.03 beta **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in the `path om` parameter to various PHP files, including `bible.class.php`, `dossier.class.php`, `service.class.php`, `collectivite.class.php`, `droit.class.php`, `tache.class.php`, `emetteur.class.php`, `utilisateur.class.php`, `courrier.recherche.tab.class.php`, and `profil.class.php` in the `obj/` directory. This is possible when `register globals` is enabled. **Recommendations** For openMairie openCourrier versions 2.02 through 2.03 beta, consider disabling the `register globals` setting to prevent exploitation. Additionally, restrict access to the vulnerable PHP files in the `obj/` directory until a patch is available. Avoid using the `path om` parameter in URLs to these files until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Scratcher (affected versions not specified) **Description** A SQL injection issue exists, allowing remote attackers to execute arbitrary SQL commands. This is achieved via the `id` parameter in the projects.php file. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Scratcher (affected versions not specified) **Description** A cross-site scripting (XSS) issue exists, allowing remote attackers to inject arbitrary web script or HTML via the `show` parameter in the projects.php file. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.