Jiko

**Name of the Vulnerable Software and Affected Versions** Vlinks versions 1.0.3 through 1.1.6 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `id` parameter in the page.php file. **Recommendations** For versions 1.0.3 through 1.1.6, consider restricting access to the `id` parameter in the page.php file to minimize the risk of exploitation. As a temporary workaround, avoid using the `id` parameter in the affected page until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** TalkBack version 2.3.14 **Description** The issue allows remote attackers to modify comments due to improper access restriction to the edit comment feature in comments.php. **Recommendations** For TalkBack version 2.3.14, consider restricting access to the comments.php file to prevent unauthorized modification of comments until a patch is available.

**Name of the Vulnerable Software and Affected Versions** TalkBack version 2.3.14 **Description** The issue allows remote attackers to execute arbitrary commands. This is achieved via the `result` parameter in the `addons/import.php` file. **Recommendations** For TalkBack version 2.3.14, consider restricting access to the `addons/import.php` file until a patch is available. As a temporary workaround, avoid using the `result` parameter in the affected file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** SailPlanner version 0.3a **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved by injecting malicious SQL code via the `username` and `password` fields. **Recommendations** For SailPlanner version 0.3a, update to a version that fixes the SQL injection vulnerabilities. At the moment, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, consider restricting access to the login functionality to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Super Simple Blog Script version 2.5.4 **Description** The issue concerns SQL injection vulnerabilities in the comments.php file of the Super Simple Blog Script. When magic quotes gpc is disabled, remote attackers can execute arbitrary SQL commands via the `entry` parameter. **Recommendations** For Super Simple Blog Script version 2.5.4, consider disabling the comments.php file or restricting access to it until a patch is available. As a temporary workaround, enable magic quotes gpc to minimize the risk of SQL injection attacks.

**Name of the Vulnerable Software and Affected Versions** Super Simple Blog Script version 2.5.4 **Description** The issue concerns multiple directory traversal vulnerabilities in the comments.php file. Remote attackers can exploit these vulnerabilities to overwrite, include, and execute arbitrary local files by manipulating the `entry` parameter in the affected API endpoint. **Recommendations** For Super Simple Blog Script version 2.5.4, consider restricting access to the comments.php file and the `entry` parameter to minimize the risk of exploitation. As a temporary workaround, avoid using the `entry` parameter in the affected endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Z1Exchange version 1.0 Description: The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `site` parameter in the edit.php file. Recommendations: For Z1Exchange version 1.0, consider restricting access to the edit.php file until a patch is available. As a temporary workaround, avoid using the `site` parameter in the edit.php file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Flax Article Manager version 1.1 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `cat id` parameter in the category.php file. **Recommendations** For Flax Article Manager version 1.1, consider restricting access to the category.php file until a patch is available. As a temporary workaround, avoid using the `cat id` parameter in the affected file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** X7 Chat versions 2.0.1 A1 and earlier **Description** A directory traversal issue exists, allowing remote attackers to include and execute arbitrary local files. This is achieved via directory traversal sequences in the `help file` parameter. **Recommendations** For versions 2.0.1 A1 and earlier, consider restricting access to the `help/mini.php` file until a patch is available. As a temporary workaround, avoid using the `help file` parameter in the affected endpoint. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** BbZL.PhP version 0.92 **Description** A directory traversal issue exists, allowing remote attackers to access unauthorized directories. This is achieved by including a .. (dot dot) in the `lien 2` parameter of the index.php file. **Recommendations** For BbZL.PhP version 0.92, consider restricting access to the `lien 2` parameter in the index.php file to prevent unauthorized directory access. As a temporary workaround, restrict the use of the `lien 2` parameter until a patch is available.

**Name of the Vulnerable Software and Affected Versions** ArabCMS version 2.0 beta 1 **Description** A directory traversal issue exists, allowing remote attackers to include and execute arbitrary local files. This is achieved by using a .. (dot dot) in the `rss` parameter of the rss.php file. **Recommendations** For ArabCMS version 2.0 beta 1, consider restricting access to the rss.php file until a patch is available. As a temporary workaround, avoid using the `rss` parameter in the rss.php file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Gelato version 0.95 **Description** A directory traversal issue exists, allowing remote attackers to read arbitrary files. This can be achieved via the `img` parameter by using (1) a .. (dot dot) sequence and possibly (2) a full pathname. **Recommendations** For Gelato version 0.95, consider restricting access to the `classes/imgsize.php` file until a fix is available. As a temporary workaround, avoid using the `img` parameter with untrusted input in the `classes/imgsize.php` file.

**Name of the Vulnerable Software and Affected Versions** 1Book versions 1.0.1 and earlier **Description** A static code injection issue allows remote attackers to upload arbitrary PHP code via the `message` parameter in an HTML webform, which is written to data.php. This enables attackers to inject malicious code into the application. **Recommendations** For versions 1.0.1 and earlier, as a temporary workaround, consider restricting access to the guestbook.php file and the data.php file to minimize the risk of exploitation. Avoid using the `message` parameter in the affected webform until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** PHP Forge version 3.0 beta 2 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved by exploiting the `id` parameter in the news module to the "admin.php" endpoint. **Recommendations** For PHP Forge version 3.0 beta 2, consider restricting access to the `id` parameter in the news module to minimize the risk of exploitation. Avoid using the `id` parameter in the affected "admin.php" endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** E-RESERV version 2.1 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `ID loc` parameter in the "index.php" file. **Recommendations** For E-RESERV version 2.1, consider restricting access to the `ID loc` parameter in the "index.php" file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Blog Pixel Motion (affected versions not specified) **Description** The issue concerns a lack of authentication in the admin/sauvBase.php file, allowing remote attackers to trigger a database backup dump and obtain sensitive information from the resulting blogPM.sql file. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Blogator-script version 1.0 **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in the `incl page` parameter in several PHP files, including `struct admin.php`, `struct admin blog.php`, and `struct main.php` in the ` blogadata/include` directory. **Recommendations** For Blogator-script version 1.0, update to version 1.01 or later to resolve the issue. As a temporary workaround, consider restricting access to the `incl page` parameter in the affected PHP files until a patch is available.

**Name of the Vulnerable Software and Affected Versions** ARWScripts Gallery Script Lite versions prior to 20080411 **Description** A directory traversal issue exists, allowing remote attackers to read arbitrary local files via directory traversal sequences in the `path` parameter. **Recommendations** For versions prior to 20080411, consider restricting access to the download.html file until a fix is available. As a temporary workaround, avoid using the `path` parameter in the download.html file to minimize the risk of exploitation.