Imei Addmimistrator

**Name of the Vulnerable Software and Affected Versions** Olate Download (od) version 3.4.2 **Description** The issue allows remote attackers to inject arbitrary web script or HTML, which can lead to cross-site scripting (XSS) attacks. This is possible via the `PHP SELF` variable in `modules/core/uim.php` and `[url]` tags in a comment in `modules/core/fldm.php`. **Recommendations** For Olate Download (od) version 3.4.2, consider disabling the `uim.php` and `fldm.php` modules until a patch is available to prevent exploitation. Restrict access to these modules to minimize the risk of XSS attacks. Avoid using the `PHP SELF` variable in `uim.php` and `[url]` tags in comments in `fldm.php` until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Olate Download (od) version 3.4.1 **Description** A SQL injection issue allows remote attackers to execute arbitrary SQL commands via an `OD3 AutoLogin` cookie. **Recommendations** For Olate Download (od) version 3.4.1, consider restricting access to the Admin.php file until a patch is available. As a temporary workaround, avoid using the `OD3 AutoLogin` cookie in the affected application to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Coppermine Photo Gallery (CPG) version 1.4.8 stable **Description** The issue allows remote attackers to bypass XSS protection and set arbitrary variables via a query string. This is possible when register globals is enabled, causing variables to be defined in global space. The protection scheme unsets certain parameters, such as GET, REQUEST, or other critical parameters, which prevents the original variable from being detected. **Recommendations** For Coppermine Photo Gallery (CPG) version 1.4.8 stable, consider disabling the register globals setting to prevent the exploitation of this issue. As a temporary workaround, restrict access to critical parameters, such as GET and REQUEST, to minimize the risk of arbitrary variable setting.

**Name of the Vulnerable Software and Affected Versions** MyBB version 1.1.7 **Description** A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via a url BBCode tag. This is achieved by using a javascript URI with an SGML numeric character reference and an embedded space. For example, using "java& #115;cript" can demonstrate this issue. **Recommendations** For MyBB version 1.1.7, update to a version that contains a fix for this issue to prevent exploitation.

**Name of the Vulnerable Software and Affected Versions** MyBB (MyBulletinBoard) versions 1.0 through 1.1.3 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `showcodebuttons` parameter in the usercp.php file. **Recommendations** For MyBB (MyBulletinBoard) versions 1.0 through 1.1.3, consider restricting access to the `showcodebuttons` parameter in the usercp.php file until a patch is available.

**Name of the Vulnerable Software and Affected Versions** CuteNews version 1.4.1 **Description** A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via the query string to "index.php". This could potentially lead to unauthorized actions on the affected system. **Recommendations** For CuteNews version 1.4.1, update to a newer version that contains a fix for this issue.