Linux_Drox

**Name of the Vulnerable Software and Affected Versions** DigiDomain version 2.2 **Description** The issue concerns multiple cross-site scripting (XSS) vulnerabilities. These vulnerabilities allow remote attackers to inject arbitrary web script or HTML. Specifically, the vulnerabilities can be exploited via the `domain` parameter to the "lookup result.asp" API endpoint, and the `word1` and `word2` parameters to the "suggest result.asp" API endpoint. **Recommendations** For DigiDomain version 2.2, consider disabling access to the "lookup result.asp" and "suggest result.asp" API endpoints until a patch is available. As a temporary workaround, restrict the use of the `domain`, `word1`, and `word2` parameters in these endpoints to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** cPanel versions 11.18.3 through 11.21.0-BETA **Description** A cross-site scripting (XSS) issue exists, allowing remote attackers to inject arbitrary web script or HTML. This is achieved via the query string in the frontend/x/manpage.html file. **Recommendations** For versions 11.18.3 through 11.21.0-BETA, as a temporary workaround, consider restricting access to the frontend/x/manpage.html file until a patch is available. Avoid using the query string in this file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: SendCard version 3.3.0 Description: The issue allows remote attackers to obtain sensitive information. This is achieved by providing an invalid `sc language` parameter to the "sendcard.php" endpoint, which results in an error message that reveals the path. Recommendations: For SendCard version 3.3.0, avoid using the `sc language` parameter in the "sendcard.php" endpoint until the issue is resolved. As a temporary workaround, consider restricting access to the "sendcard.php" endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Digirez version 3.4 **Description** The issue concerns multiple cross-site scripting (XSS) vulnerabilities. These vulnerabilities allow remote attackers to inject arbitrary web script or HTML. Specifically, the vulnerabilities can be exploited via the `Room name` parameter to the "/room/info book.asp" API endpoint or the `curYear` parameter to the "/room/week.asp" API endpoint. **Recommendations** For Digirez version 3.4, as a temporary workaround, consider restricting access to the "/room/info book.asp" and "/room/week.asp" API endpoints until a patch is available. Avoid using the `Room name` and `curYear` parameters in these endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Future Internet (affected versions not specified) Description: The issue concerns multiple SQL injection vulnerabilities. These vulnerabilities allow remote attackers to execute arbitrary SQL commands. The vulnerabilities can be exploited via specific parameters in certain actions: the `newsId` or `categoryid` parameter in a Portal.Showpage action in `index.cfm`, or the `langId` parameter in `index.cfm`. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Future Internet (affected versions not specified) Description: The issue is related to a cross-site scripting (XSS) vulnerability. It allows remote attackers to inject arbitrary web script or HTML via the `categoryId` parameter in a "Portal.ShowPage" action. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Minh Nguyen Duong Obie Website Mini Web Shop version 2.1.c Description: The issue allows remote attackers to obtain sensitive information via a request with an arbitrary `catname` parameter but no `itemsdb` parameter, which reveals the path in an error message. This might be resultant from a more serious issue such as directory traversal. Recommendations: For version 2.1.c, as a temporary workaround, consider restricting access to the `modules/viewcategory.php` file until a patch is available. Avoid using the `catname` parameter in the affected endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Minh Nguyen Duong Obie Website Mini Web Shop version 2.1.c Description: The issue is related to a cross-site scripting (XSS) vulnerability. This vulnerability allows remote attackers to inject arbitrary web script or HTML via the `catname` parameter in the modules/viewcategory.php file. Recommendations: For version 2.1.c, avoid using the `catname` parameter in the affected module until the issue is resolved. As a temporary workaround, consider restricting access to the modules/viewcategory.php file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** PHP-Wyana (affected versions not specified) **Description** The issue allows remote attackers to obtain sensitive information via an invalid `lang` parameter in the `tools/tellhim.php` file, which reveals the path in an error message. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Belchior Foundry vCard version 2.9 **Description** The issue allows remote attackers to inject arbitrary web script or HTML, potentially leading to cross-site scripting (XSS) attacks. This can be achieved via the `page` parameter in the "/toprated.php" and "/newcards.php" API endpoints. **Recommendations** For Belchior Foundry vCard version 2.9, consider restricting access to the "/toprated.php" and "/newcards.php" API endpoints until a fix is available. As a temporary workaround, avoid using the `page` parameter in these endpoints to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SaphpLesson version 2.0 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `lessid` parameter in the "print.php" endpoint. **Recommendations** For SaphpLesson version 2.0, consider restricting access to the `lessid` parameter in the "print.php" endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** DCI-Taskeen version 1.03 **Description** A SQL injection issue allows remote attackers to execute arbitrary SQL commands. This can be achieved via the `id` or `action` parameter to "basket.php", or the `id` or `page` parameter to "cat.php". **Recommendations** For DCI-Taskeen version 1.03, consider restricting access to the "basket.php" and "cat.php" files until a patch is available. As a temporary workaround, avoid using the `id`, `action`, and `page` parameters in the affected API endpoints.

**Name of the Vulnerable Software and Affected Versions** PhpWebThings version 1.4.4 **Description** A cross-site scripting (XSS) issue exists, allowing remote attackers to inject arbitrary web script or HTML. This is achieved via the `forum` parameter in the "forum.php" file. **Recommendations** For PhpWebThings version 1.4.4, consider validating and sanitizing user input for the `forum` parameter to prevent XSS attacks. As a temporary workaround, restrict access to the "forum.php" file until a patch is available.

**Name of the Vulnerable Software and Affected Versions** PhpWebThings version 1.4.4 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `forum` parameter in the "forum.php" file. **Recommendations** For PhpWebThings version 1.4.4, consider restricting access to the `forum.php` file until a patch is available. As a temporary workaround, avoid using the `forum` parameter in the affected file to minimize the risk of exploitation.