K1N9K0Ng

**Name of the Vulnerable Software and Affected Versions** Script Toko Online version 5.01 **Description** A SQL injection issue allows remote attackers to execute arbitrary SQL commands. The issue is related to the `cat id` parameter in the "shop display products.php" file. **Recommendations** For Script Toko Online version 5.01, consider restricting access to the `cat id` parameter in the "shop display products.php" file until a patch is available. As a temporary workaround, avoid using the `cat id` parameter in the affected file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Harris Wap Chat version 1.0 **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in the `sysFileDir` parameter to various PHP files, including "eng.writeMsg.php", "eng.adCreate.php", "eng.adCreateSave.php", "eng.adDispByTypeOptions.php", "eng.createRoom.php", "eng.forward.php", "eng.pageLogout.php", "eng.resultMember.php", "eng.roomDeleteConfirm.php", "eng.saveNewRoom.php", and "eng.searchMember.php" in the src/ directory. This can occur when register globals is enabled. **Recommendations** For Harris Wap Chat version 1.0, consider disabling the register globals setting to prevent exploitation. Additionally, restrict access to the vulnerable PHP files in the src/ directory until a patch is available. Avoid using the `sysFileDir` parameter in the affected API endpoints until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** VisionBurst vcart version 3.3.2 **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in the `abs path` parameter to API endpoints such as "index.php" and "checkout.php". **Recommendations** For VisionBurst vcart version 3.3.2, consider restricting access to the `abs path` parameter in the affected API endpoints until a patch is available. As a temporary workaround, avoid using the `abs path` parameter in "index.php" and "checkout.php" to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Ncaster version 1.7.2 **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in the `adminfolder` parameter in the admin/addons/archive/archive.php file. **Recommendations** For Ncaster version 1.7.2, consider restricting access to the admin/addons/archive/archive.php file until a patch is available. As a temporary workaround, avoid using the `adminfolder` parameter in the affected file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** FishCart versions 3.2 RC2 and earlier **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in the `docroot` parameter. This is a result of a PHP remote file inclusion vulnerability in the `fc functions/fc example.php` file. **Recommendations** For FishCart versions 3.2 RC2 and earlier, at the moment, there is no information about a newer version that contains a fix for this vulnerability.