Kezzap66345

**Name of the Vulnerable Software and Affected Versions** phpWCMS XT versions 0.0.7 BETA and earlier **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in the `HTML MENU DirPath` parameter to specific PHP files, including (1) `config HTML MENU.php` and (2) `config PHPLM.php` in the `phpwcms template/inc script/frontend render/navigation/` directory. **Recommendations** For phpWCMS XT versions 0.0.7 BETA and earlier, consider restricting access to the `config HTML MENU.php` and `config PHPLM.php` files until a patch is available. Avoid using the `HTML MENU DirPath` parameter in the affected API endpoints until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Segue CMS versions 1.8.4 and earlier **Description** A remote file inclusion issue in index.php allows remote attackers to execute arbitrary PHP code via a URL in the `themesdir` parameter when `register globals` is disabled. **Recommendations** For Segue CMS versions 1.8.4 and earlier, as a temporary workaround, consider restricting access to the `themesdir` parameter in the index.php file until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** FrontAccounting version 1.13 **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in the `path to root` parameter to specific PHP files, such as "access/login.php" and "includes/lang/language.php", when register globals is enabled. **Recommendations** For FrontAccounting version 1.13, consider disabling the register globals setting to prevent exploitation. As a temporary workaround, restrict access to the "access/login.php" and "includes/lang/language.php" files until a patch is available. Avoid using the `path to root` parameter in these files until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** FrontAccounting version 1.12 Build 31 **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in the `path to root` parameter in the config.php file. **Recommendations** For FrontAccounting version 1.12 Build 31, consider restricting access to the `config.php` file and avoid using the `path to root` parameter in URLs until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Andreas Robertz PHPNews version 0.93 **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in the `format menue` parameter in the admin/inc/change action.php file. **Recommendations** For Andreas Robertz PHPNews version 0.93, consider restricting access to the admin/inc/change action.php file to minimize the risk of exploitation. Avoid using the `format menue` parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** PHPGlossar version 0.8 **Description** The issue allows remote attackers to execute arbitrary PHP code. This can be achieved by providing a URL in the format menue parameter to specific API endpoints, such as "admin/inc/change action.php" or "admin/inc/add.php". **Recommendations** For PHPGlossar version 0.8, consider restricting access to the `admin/inc/change action.php` and `admin/inc/add.php` endpoints to minimize the risk of exploitation. Avoid using the `format menue` parameter in these endpoints until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** LaVague versions 0.3 and earlier **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in the `views path` parameter in the views/print/printbar.php file. **Recommendations** For LaVague versions 0.3 and earlier, consider restricting access to the views/print/printbar.php file until a patch is available. Avoid using the `views path` parameter in the affected file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Versado CMS version 1.07 **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in the `urlModulo` parameter in the includes/ajax listado.php file. **Recommendations** For Versado CMS version 1.07, avoid using the `urlModulo` parameter in the includes/ajax listado.php file until a patch is available. Restrict access to the includes/ajax listado.php file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** NoAh (aka PHP Content Architect, phparch) versions 0.9 through 1.2 and earlier **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in the `tpls[1]` parameter in the modules/noevents/templates/mfa theme.php file. **Recommendations** For NoAh (aka PHP Content Architect, phparch) versions 0.9 through 1.2 and earlier, update to a version newer than 1.2 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** PHP TopTree BBS versions 2.0.1a and earlier **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in the `right file` parameter in the templates/default/tpl message.php file. **Recommendations** For PHP TopTree BBS versions 2.0.1a and earlier, consider updating to a newer version that contains a fix for this issue, as using an outdated version poses a significant risk. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** workbench survival guide version 0.11 **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in the `path` parameter. This is a result of a PHP remote file inclusion vulnerability in the `header.php` file. **Recommendations** For version 0.11, update to a newer version that contains a fix for this issue, or as a temporary workaround, consider restricting access to the `header.php` file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Tropicalm Crowell Resource version 4.5.2 **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in the `RESPATH` parameter to API endpoints such as "dosearch.php" or "printfriendly.php". **Recommendations** For version 4.5.2, avoid using the `RESPATH` parameter in the affected API endpoints until the issue is resolved. As a temporary workaround, consider restricting access to the "dosearch.php" and "printfriendly.php" endpoints to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** E-GADS! versions prior to 2.2.7 **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in the `locale` parameter. This is a result of a PHP remote file inclusion vulnerability in the common.php file. **Recommendations** For versions prior to 2.2.7, update to version 2.2.7 or later to resolve the issue. As a temporary workaround, consider restricting access to the `locale` parameter in the affected API endpoint until a patch is available.

**Name of the Vulnerable Software and Affected Versions** The Merchant (themerchant) version 2.2 **Description** A remote file inclusion issue in the help/index.php file allows remote attackers to execute arbitrary PHP code via a URL in the `show` parameter. **Recommendations** For version 2.2, update the help/index.php file to properly validate and sanitize the `show` parameter to prevent remote file inclusion attacks. As a temporary workaround, consider restricting access to the help/index.php file until a patch is available.

**Name of the Vulnerable Software and Affected Versions** OneClick CMS versions 05.10 and earlier **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in the `site path` parameter in the main/forum/komentar.php file. **Recommendations** For OneClick CMS versions 05.10 and earlier, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** CodeWand phpBrowse (affected versions not specified) **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in the `include path` parameter in the include/include stream.inc.php file. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** wavewoo version 0.1.1 **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in the `path include` parameter in the include/loading.php file. **Recommendations** For wavewoo version 0.1.1, consider restricting access to the `include/loading.php` file to minimize the risk of exploitation. Avoid using the `path include` parameter in the affected file until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** barnraiser AROUNDMe version 0.7.7 **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in the parameters `language path core`, `template path core`, and `template path` to specific PHP and template files, including 'inc/core profile.header.php', 'template/barnraiser 01/maint contact view.tpl.php', and 'template/barnraiser 01/default.tpl.php'. **Recommendations** For barnraiser AROUNDMe version 0.7.7, consider restricting access to the `language path core`, `template path core`, and `template path` parameters in the affected files until a patch is available. As a temporary workaround, avoid using these parameters in the specified API endpoints, such as 'inc/core profile.header.php', 'template/barnraiser 01/maint contact view.tpl.php', and 'template/barnraiser 01/default.tpl.php', to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Pathos Content Management System (CMS) versions 0.92 through 0.92-2 Description: The issue allows remote attackers to execute arbitrary PHP code via a URL in the `file` parameter in the warn.php file. Recommendations: For Pathos Content Management System (CMS) versions 0.92 through 0.92-2, consider restricting access to the warn.php file to minimize the risk of exploitation. Avoid using the `file` parameter in the warn.php file until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: MangoBery CMS version 0.5.5 Description: The issue allows remote attackers to execute arbitrary PHP code. This can be achieved by providing a URL in the `Site Path` parameter to specific PHP files, such as `boxes/quotes.php` or `templates/mangobery/footer.sample.php`. Recommendations: For MangoBery CMS version 0.5.5, consider restricting access to the `boxes/quotes.php` and `templates/mangobery/footer.sample.php` files to minimize the risk of exploitation. Avoid using the `Site Path` parameter in these files until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.