Darkbicho

**Name of the Vulnerable Software and Affected Versions** CuteNews version 1.3.1 **Description** A cross-site scripting (XSS) issue exists, allowing remote attackers to inject arbitrary script or HTML. This is possible via the `id` parameter in files such as show archives.php and show news.php. **Recommendations** For CuteNews version 1.3.1, consider restricting access to the vulnerable php files, such as show archives.php and show news.php, until a patch is available. Avoid using the `id` parameter in these files to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** PowerPortal versions 1.x **Description** A cross-site scripting (XSS) issue exists, allowing remote attackers to inject arbitrary script or HTML. This can be achieved via the `id` parameter to the `private messages` module, the `search` parameter to the `links` and `content` modules, and the `files` parameter to the `gallery` module. **Recommendations** For PowerPortal version 1.x, as a temporary workaround, consider restricting access to the `private messages`, `links`, `content`, and `gallery` modules until a patch is available. Avoid using the `id`, `search`, and `files` parameters in the affected modules to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** csFAQ (affected versions not specified) **Description** The issue allows remote attackers to gain sensitive information via an invalid database parameter. This is achieved by exploiting csFAQ.cgi in csFAQ, which reveals the path to the web server in an error message. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** paFileDB version 3.1 **Description** The issue allows remote attackers to gain sensitive information via a direct request to various API endpoints, including "login.php", "category.php", "search.php", "main.php", "viewall.php", "download.php", "email.php", "file.php", "rate.php", or "stats.php". These endpoints reveal the path in an error message, potentially exposing sensitive information. **Recommendations** For paFileDB version 3.1, consider restricting access to the mentioned API endpoints until a patch is available. As a temporary workaround, disable the display of error messages that reveal sensitive path information.

**Name of the Vulnerable Software and Affected Versions** PHP-Nuke Video Gallery Module version 0.1 Beta 5 **Description** The issue allows remote attackers to gain sensitive information via an HTTP request with an invalid `catid` or `clipid` parameter, which reveals the full path in an error message. **Recommendations** For PHP-Nuke Video Gallery Module version 0.1 Beta 5, consider validating and sanitizing the `catid` and `clipid` parameters to prevent the disclosure of sensitive information. As a temporary workaround, restrict access to the modules.php file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** PHP-Nuke Video Gallery Module version 0.1 Beta 5 **Description** The issue allows remote attackers to execute arbitrary SQL code. This can be achieved by manipulating the `clipid` or `catid` parameters in a "viewclip", "viewcat", or "voteclip" action. **Recommendations** For PHP-Nuke Video Gallery Module version 0.1 Beta 5, consider restricting access to the vulnerable parameters `clipid` and `catid` in the affected actions until a patch is available. As a temporary workaround, avoid using the parameters `clipid` and `catid` in the affected API endpoints. At the moment, there is no information about a newer version that contains a fix for this vulnerability.