Federico Fazzi

**Name of the Vulnerable Software and Affected Versions** BloggIT versions 1.01 and earlier **Description** The issue arises from improper user session establishment in the admin.php file, allowing remote attackers to gain privileges through a direct request. **Recommendations** For BloggIT versions 1.01 and earlier, consider restricting access to the admin.php file until a proper fix is available. As a temporary workaround, ensure that all user sessions are properly validated and established to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Docebo LMS version 3.0.3 Description: The issue allows remote attackers to execute arbitrary PHP code via a URL in the `where lms` parameter to specific PHP files, including "class.module/class.definition.php" and "modules/scorm/scorm utils.php". Recommendations: For Docebo LMS version 3.0.3, consider restricting access to the `class.module/class.definition.php` and `modules/scorm/scorm utils.php` files to minimize the risk of exploitation. Avoid using the `where lms` parameter in these files until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

PHP remote file inclusion vulnerability in addons/mod media/body.php in Docebo 3.0.3 and earlier, when register globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the GLOBALS[where framework] parameter. NOTE: this issue might be resultant from a global overwrite vulnerability. This issue is similar to CVE-2006-2576 and CVE-2006-3107, but the vectors are different.

Name of the Vulnerable Software and Affected Versions: FtpXQ Server version 3.0.1 Description: The issue allows remote attackers to cause a denial of service, specifically CPU exhaustion, by sending a long MKD command. Recommendations: For FtpXQ Server version 3.0.1, consider restricting access to the MKD command as a temporary workaround until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Content*Builder version 0.7.5 **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL with a trailing slash (/) character in several parameters, including `lang path`, `path[cb]`, and `rel`, across multiple PHP files within the Content*Builder application. This affects various modules and plugins, such as column.inc.php, poll.inc.php, user.inc.php, media.inc.php, events.inc.php, newsletter.inc.php, guestbook.inc.php, shoutBox.php, sitemap.inc.php, overview.inc.php, detailView.inc.php, fullarticle.inc.php, comments.inc.php, headlineBox.php, and showHeadline.inc.php. **Recommendations** For Content*Builder version 0.7.5, consider disabling the vulnerable parameters `lang path`, `path[cb]`, and `rel` in the affected PHP files until a patch is available. Restrict access to the vulnerable modules and plugins to minimize the risk of exploitation. Avoid using the affected parameters in the respective API endpoints, such as '/cms/plugins/col man/column.inc.php', '/modules/guestbook/guestbook.inc.php', and '/modules/download/overview.inc.php', until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** HotPlug CMS version 1.0 **Description** A cross-site scripting (XSS) issue exists, allowing remote attackers to inject arbitrary web script or HTML via the `msg` parameter in the administration/tblcontent/login1.php file. **Recommendations** For HotPlug CMS version 1.0, avoid using the `msg` parameter in the administration/tblcontent/login1.php file until a fix is available. As a temporary workaround, consider restricting access to the administration/tblcontent/login1.php file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** PhpBlueDragon CMS version 2.9.1 **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in the `vsDragonRootPath` parameter in the `template.php` file located in `software upload/public includes/pub templates/vphptree/`. **Recommendations** For PhpBlueDragon CMS version 2.9.1, consider restricting access to the `template.php` file until a patch is available. As a temporary workaround, avoid using the `vsDragonRootPath` parameter in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Calendarix Basic versions 0.7.20060401 and earlier **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `id` parameter in API endpoints such as "cal event.php" and "cal popup.php", particularly when magic quotes gpc is disabled. **Recommendations** For Calendarix Basic versions 0.7.20060401 and earlier, consider disabling the `id` parameter in the affected API endpoints "cal event.php" and "cal popup.php" until a patch is available. Additionally, enabling magic quotes gpc can help mitigate the risk of SQL injection attacks.

**Name of the Vulnerable Software and Affected Versions** ISPConfig version 2.2.3 **Description** Multiple PHP remote file inclusion issues allow remote attackers to execute arbitrary PHP code via a URL in the `go info[isp][classes root]` parameter in server.inc.php, and the `go info[server][classes root]` parameter in app.inc.php, login.php, and trylogin.php. The vendor has disputed this issue, stating that the original researcher reviewed the installation tarball, which is not identical to the resulting system after installation. **Recommendations** For ISPConfig version 2.2.3, consider disabling the `go info[isp][classes root]` and `go info[server][classes root]` parameters in the affected files until a patch is available. Restrict access to the vulnerable parameters to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** phpCMS versions 1.1.7 through 1.2.1pl2 **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in the `PHPCMS INCLUDEPATH` parameter to various files in the phpCMS application, including files such as `class.parser phpcms.php`, `class.session phpcms.php`, `class.edit phpcms.php`, `class.http indexer phpcms.php`, `class.cache phpcms.php`, `class.search phpcms.php`, `class.lib indexer universal phpcms.php`, `class.layout phpcms.php`, `parser/plugs/counter.php`, and `parser/parser.php`. **Recommendations** For phpCMS version 1.1.7, update to a version later than 1.1.7 to resolve the issue. For phpCMS version 1.2.1pl2, update to a version later than 1.2.1pl2 to resolve the issue. As a temporary workaround, consider restricting access to the `PHPCMS INCLUDEPATH` parameter to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** 0verkill version 0.16 **Description** The issue is caused by an integer overflow in the `recv packet` function, allowing remote attackers to cause a denial of service (daemon crash) by sending a UDP packet with fewer than 12 bytes. This results in a long length value being passed to the `crc32` function. **Recommendations** For 0verkill version 0.16, consider disabling the `recv packet` function or restricting the handling of UDP packets until a patch is available to prevent the denial of service.

**Name of the Vulnerable Software and Affected Versions** CMS-Bandits versions 2.5 and earlier **Description** The issue allows remote attackers to execute arbitrary PHP code when register globals is enabled. This is achieved via a URL in the `spaw root` parameter in the following API endpoints: "dialogs/img.php" and "dialogs/td.php". **Recommendations** For CMS-Bandits versions 2.5 and earlier, consider disabling the register globals setting to prevent exploitation until a patch is available. Restrict access to the dialogs/img.php and dialogs/td.php endpoints to minimize the risk of arbitrary PHP code execution. Avoid using the `spaw root` parameter in these endpoints until the issue is resolved.