K4P0

**Name of the Vulnerable Software and Affected Versions** PunBB version 1.2.11 **Description** A cross-site scripting (XSS) issue allows remote authenticated administrators to inject arbitrary HTML or web script to other administrators via the "Admin note" feature. **Recommendations** For PunBB version 1.2.11, consider disabling the "Admin note" feature until a patch is available to prevent exploitation.

**Name of the Vulnerable Software and Affected Versions** CuteNews versions 1.4.1 and earlier CuteNews version 1.4.5 **Description** The issue allows remote attackers to inject arbitrary web script or HTML via the `user`, `story`, or `title` parameters in the "search.php" file. **Recommendations** For CuteNews versions 1.4.1 and earlier, update to a version later than 1.4.1 to resolve the issue. For CuteNews version 1.4.5, consider disabling the search functionality in "search.php" until a patch is available, and restrict access to the `user`, `story`, and `title` parameters to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** CuteNews version 1.4.1 **Description** The issue allows remote attackers to obtain sensitive information via a direct request to API endpoints such as "/inc/show.inc.php" or "/inc/functions.inc.php", which reveal the path in an error message. **Recommendations** For CuteNews version 1.4.1, consider restricting access to the "/inc/show.inc.php" and "/inc/functions.inc.php" API endpoints to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: NicoFTP versions 3.0.1.19 and earlier Description: A buffer overflow issue might allow local users to execute arbitrary code via a long string in the `Name of site` field of an FTP account. However, since the program executes with the privileges of the invoking user and remote programs do not normally have the ability to create or modify FTP accounts, there may not be a typical attack vector for the issue that crosses privilege boundaries. Recommendations: For NicoFTP versions 3.0.1.19 and earlier, consider restricting the length of the string in the `Name of site` field to prevent potential buffer overflow issues. At the moment, there is no information about a newer version that contains a fix for this issue.