Lionturk

**Name of the Vulnerable Software and Affected Versions** Angelo-Emlak version 1.0 **Description** The issue allows remote attackers to download a database due to insufficient access control. Sensitive information is stored under the web root, enabling attackers to access the database via a direct request for `veribaze/angelo.mdb`. **Recommendations** For Angelo-Emlak version 1.0, consider restricting access to the `veribaze/angelo.mdb` file to prevent unauthorized downloads until a proper fix is applied. Additionally, review and improve access controls for sensitive information stored under the web root.

**Name of the Vulnerable Software and Affected Versions** 8pixel.net Blog 4 (affected versions not specified) **Description** The issue concerns the storage of sensitive information under the web root with insufficient access control. This allows remote attackers to download a database via a direct request. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Erolife AjxGaleri VT (affected versions not specified) **Description** The issue allows remote attackers to download a database due to insufficient access control. Sensitive information is stored under the web root, enabling attackers to access the database via a direct request for `db/ajxgaleri.mdb`. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Acidcat CMS version 3.5.x **Description** The issue allows remote attackers to access install.asp and other install *.asp scripts after the installation process has finished, potentially enabling them to restart the installation and have other unspecified impacts. This can be achieved via requests to install.asp and other related scripts. **Recommendations** For Acidcat CMS version 3.5.x, delete all files beginning with 'install' from the root directory after completing the installation, as instructed on the final installation screen.

**Name of the Vulnerable Software and Affected Versions** Acidcat CMS versions 3.5.3 and earlier **Description** The issue allows remote attackers to download a database containing credentials due to insufficient access control. This is possible because sensitive information is stored under the web root, enabling attackers to access it via a direct request for databases/acidcat 3.mdb. **Recommendations** For Acidcat CMS versions 3.5.3 and earlier, consider restricting access to the databases directory to prevent unauthorized downloads of sensitive information. As a temporary workaround, move sensitive databases outside of the web root until a more permanent solution is available.

**Name of the Vulnerable Software and Affected Versions** KMSoft Guestbook (aka GBook) version 1.0 **Description** The issue allows remote attackers to download a database due to insufficient access control of sensitive information stored under the web root. This can be achieved by making a direct request for the database file. **Recommendations** For KMSoft Guestbook (aka GBook) version 1.0, consider restricting access to the database file `db/db.mdb` to prevent unauthorized downloads until a proper fix is applied. As a temporary workaround, moving sensitive information outside of the web root or implementing proper access controls can help mitigate the risk.

**Name of the Vulnerable Software and Affected Versions** JCE-Tech PHP Calendars version downloaded 20100121 **Description** The issue allows remote attackers to bypass intended access restrictions and modify application settings via a direct request to "install.php". This is only considered a problem when the administrator does not follow the recommendations outlined in the product's installation documentation. **Recommendations** For the version downloaded 20100121, follow the installation documentation recommendations to prevent exploitation. As a temporary workaround, consider restricting access to the "install.php" file until the issue is properly addressed by following the documentation guidelines.

**Name of the Vulnerable Software and Affected Versions** JCE-Tech PHP Calendars (affected versions not specified) **Description** The issue is a cross-site scripting (XSS) vulnerability that allows remote attackers to inject arbitrary web script or HTML. This is reportedly due to a forced SQL error message from exploitation. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** JCE-Tech PHP Calendars (affected versions not specified) **Description** The issue allows remote attackers to execute arbitrary SQL commands via the `cat` parameter in the product list.php file. This enables attackers to manipulate the database by injecting malicious SQL code. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** UranyumSoft Listing Service (affected versions not specified) **Description** The issue allows remote attackers to download a database due to insufficient access control. Sensitive information is stored under the web root, enabling attackers to access the database via a direct request for database/db.mdb. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.