Dante90

**Name of the Vulnerable Software and Affected Versions** E-Xoopport Samsara versions 3.1 and earlier **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `secid` parameter in a "listarticles" action when the Tutorial module is enabled. **Recommendations** For E-Xoopport Samsara versions 3.1 and earlier, consider disabling the Tutorial module until a patch is available. Avoid using the `secid` parameter in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** PunBB versions prior to 1.2.17 **Description** A cross-site request forgery (CSRF) issue allows remote attackers to hijack the authentication of users for requests related to a logout, probably a forced logout. **Recommendations** For versions prior to 1.2.17, update to version 1.2.17 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** PunBB Reputation plugin versions 2.2.4, 2.2.3, 2.0.4, and earlier **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `poster` parameter in the reputation.php file of the Reputation plugin for PunBB. **Recommendations** For PunBB Reputation plugin versions 2.2.4, 2.2.3, 2.0.4, and earlier, consider restricting access to the reputation.php file until a fix is available. As a temporary workaround, avoid using the `poster` parameter in the affected reputation.php file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** PunBB Reputation plugin versions 2.2.4, 2.2.3, 2.0.4, and earlier **Description** The issue allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the `pun user[language]` parameter when `register globals` is enabled and `magic quotes gpc` is disabled. **Recommendations** For PunBB Reputation plugin versions 2.2.4, 2.2.3, 2.0.4, and earlier, consider disabling the `register globals` setting and enabling `magic quotes gpc` to minimize the risk of exploitation. As a temporary workaround, restrict access to the `rep profile.php` file in the `include/reputation` directory until a patch is available. Avoid using the `pun user[language]` parameter in the affected plugin until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** MD-Pro versions 2.1 and earlier **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved by exploiting the `rid` parameter in a "viewrecords" action to "modules.php". **Recommendations** For MD-Pro versions 2.1 and earlier, consider restricting access to the `modules.php` endpoint until a patch is available. As a temporary workaround, avoid using the `rid` parameter in the "viewrecords" action to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** PunBB Affiliation module versions 1.1.0 and earlier **Description** The issue concerns SQL injection vulnerabilities in the affiliates.php file of the Affiliation module for PunBB. Remote attackers can execute arbitrary SQL commands by manipulating the `in` or `out` parameters. **Recommendations** For PunBB Affiliation module versions 1.1.0 and earlier, consider restricting access to the affiliates.php file until a patch is available. As a temporary workaround, avoid using the `in` and `out` parameters in the affected module to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** PunBB Vote For Us extension versions 1.0.1 and earlier **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `out` parameter in the voteforus.php file. **Recommendations** For PunBB Vote For Us extension versions 1.0.1 and earlier, consider disabling the voteforus.php file or restricting access to it until a patch is available. Avoid using the `out` parameter in the voteforus.php file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** PHP-Nuke versions 8.0 through 8.1.0.3.5b **Description** The issue allows remote authenticated users to execute arbitrary SQL commands. This is achieved by exploiting the "url" parameter in the Add operation to "modules.php". **Recommendations** For PHP-Nuke versions 8.0 through 8.1.0.3.5b, consider restricting access to the Downloads module until a fix is available. As a temporary workaround, avoid using the `url` parameter in the Add operation to "modules.php" to minimize the risk of exploitation.