Hessam Salehi

**Name of the Vulnerable Software and Affected Versions** OlateDownload version 3.4.0 **Description** A cross-site scripting (XSS) issue exists, allowing remote attackers to inject arbitrary web script or HTML via the `description small` parameter in the userupload.php file. **Recommendations** For OlateDownload version 3.4.0, avoid using the `description small` parameter in the userupload.php file until a fix is available. Consider restricting access to the userupload.php file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** OlateDownload version 3.4.0 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This can be achieved via the `page` parameter in "details.php" or the `query` parameter in "search.php". **Recommendations** For OlateDownload version 3.4.0, update to a version that fixes the SQL injection vulnerabilities in details.php and search.php. As a temporary workaround, consider restricting access to the details.php and search.php files until a patch is available. Avoid using the `page` parameter in details.php and the `query` parameter in search.php until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Vikingboard version 0.1b **Description** The issue allows remote attackers to inject arbitrary web script or HTML, which can lead to cross-site scripting (XSS) attacks. This is possible via the `act` parameter in "help.php" and "search.php", and the `p` parameter in "report.php". **Recommendations** For Vikingboard version 0.1b, consider disabling the `act` parameter in "help.php" and "search.php", and the `p` parameter in "report.php" as a temporary workaround until a patch is available. Restrict access to "help.php", "search.php", and "report.php" to minimize the risk of exploitation. Avoid using the `act` and `p` parameters in the affected API endpoints until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Vikingboard version 0.1b **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `s` parameter in the topic.php file. **Recommendations** For Vikingboard version 0.1b, consider restricting access to the topic.php file until a patch is available. As a temporary workaround, avoid using the `s` parameter in the topic.php file to minimize the risk of exploitation.