Frog Man

**Name of the Vulnerable Software and Affected Versions** PhpPass 2 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `uid` and `pwd` parameters in the accesscontrol.php file. **Recommendations** For PhpPass 2, consider restricting access to the accesscontrol.php file until a patch is available. As a temporary workaround, avoid using the `uid` and `pwd` parameters in the affected file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Truegalerie version 1.0 **Description** The issue allows remote attackers to gain administrator access. This can be achieved by sending a request to "admin.php" without the `connect` parameter and with the `loggedin` parameter set to any value, such as `1`. This is possible due to vulnerabilities in the `verif admin.php` and `check admin.php` scripts. **Recommendations** For Truegalerie version 1.0, as a temporary workaround, consider restricting access to the `admin.php` endpoint until a patch is available. Additionally, avoid using the `loggedin` parameter in the affected endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Truegalerie version 1.0 **Description** The issue allows remote attackers to read arbitrary files. This is achieved by specifying the target filename in the `file` cookie in "form.php", then downloading the file from the image gallery. No information is available about the estimated number of potentially affected devices or real-world incidents. **Recommendations** For Truegalerie version 1.0, as a temporary workaround, consider restricting access to the "upload.php" and "form.php" files until a patch is available. Avoid using the `file` cookie in the "form.php" file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** PhpMyShop version 1.00 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `identifiant` and `password` parameters in the compte.php file. **Recommendations** For PhpMyShop version 1.00, consider restricting access to the compte.php file until a patch is available, and avoid using the `identifiant` and `password` parameters in this context to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** pMachine versions 2.2 through 2.2.1 pMachine Pro versions 2.2 through 2.2.1 **Description** The issue allows remote attackers to execute arbitrary PHP code by modifying the `pm path` parameter to reference a URL on a remote web server that contains the code. This is a result of a PHP remote file inclusion vulnerability in the pm/lib.inc.php file. **Recommendations** For pMachine versions 2.2 through 2.2.1, avoid using the `pm path` parameter to reference external URLs until a fix is available. For pMachine Pro versions 2.2 through 2.2.1, restrict access to the pm/lib.inc.php file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: one||zero (aka One or Zero) Helpdesk version 1.4 rc4 Description: The issue allows remote attackers to modify arbitrary ticket number descriptions. This is achieved via the `sg` parameter in a SQL injection attack. Recommendations: For one||zero (aka One or Zero) Helpdesk version 1.4 rc4, consider restricting access to the `sg` parameter to minimize the risk of exploitation until a patch is available.

Name of the Vulnerable Software and Affected Versions: one||zero (aka One or Zero) Helpdesk version 1.4 rc4 Description: The issue allows remote attackers to create administrator accounts by directly calling the "install.php" Helpdesk Installation script. Recommendations: For version 1.4 rc4, restrict access to the `install.php` script to prevent unauthorized creation of administrator accounts.

Name of the Vulnerable Software and Affected Versions: miniPortail (affected versions not specified) Description: The issue allows remote attackers to gain administrative privileges. This is achieved by setting the `miniPortailAdmin` cookie to an "adminok" value in the `admin.php` file. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.