Luny

**Name of the Vulnerable Software and Affected Versions** Scriptsez.net E-Dating System (affected versions not specified) **Description** The issue allows remote attackers to inject arbitrary web script or HTML via encoded entities (`&#0000039`) in IMG tags to various parts of the system, including messages, profile fields, or the `id` parameter in a `dologin` operation to `cindex.php`. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Scriptsez.net E-Dating System (affected versions not specified) **Description** The issue concerns the storage of data files with predictable names under the web document root, which is accompanied by insufficient access control. This allows remote attackers to read private messages. The accessed data can then be leveraged for cross-site scripting (XSS) attacks. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Scriptsez.net E-Dating System (affected versions not specified) **Description** The issue allows remote attackers to obtain the full path of the system via an invalid `id` parameter in a "dologin" action. This is achieved by exploiting the `cindex.php` file, which leaks the path in an error message when an invalid `id` is provided. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Super Link Exchange Script version 1.0 **Description** The issue allows remote attackers to read arbitrary files due to a directory traversal vulnerability in the make thumbnail.php file. This is achieved by using ".." sequences in the `imgpath` parameter. **Recommendations** For Super Link Exchange Script version 1.0, consider restricting access to the make thumbnail.php file or validating and sanitizing the `imgpath` parameter to prevent directory traversal attacks. As a temporary workaround, avoid using the `imgpath` parameter in the affected file until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Super Link Exchange Script version 1.0 **Description** The issue allows remote attackers to execute arbitrary SQL queries. This is achieved via the `cat` parameter in the directory.php file. **Recommendations** For Super Link Exchange Script version 1.0, consider restricting access to the directory.php file until a patch is available. As a temporary workaround, avoid using the `cat` parameter in the affected directory.php file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Super Link Exchange Script version 1.0 **Description** A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via IMG tags in the search box. This could potentially lead to unauthorized actions on the affected system. **Recommendations** For Super Link Exchange Script version 1.0, consider disabling the search box functionality until a patch is available to prevent exploitation of the XSS issue. Restrict access to the search functionality to minimize the risk of arbitrary code injection.

**Name of the Vulnerable Software and Affected Versions** fx-APP version 0.0.8.1 **Description** The issue allows remote attackers to misrepresent the contents of a web page by providing an arbitrary URL in the `url` parameter to a "showhtml" action for "index.php", causing the URL to be displayed within an iframe. **Recommendations** For fx-APP version 0.0.8.1, consider restricting access to the "showhtml" action for "index.php" to minimize the risk of exploitation, and avoid using the `url` parameter in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** fx-APP version 0.0.8.1 **Description** The issue allows remote attackers to inject arbitrary HTML or web script via several fields, including the search box, url, website, comment, and signature fields in the profile, and possibly a menu item. This can lead to cross-site scripting (XSS) attacks. **Recommendations** For fx-APP version 0.0.8.1, consider disabling the search box and restricting input in the url, website, comment, and signature fields in the profile until a patch is available. Avoid using potentially vulnerable menu items until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Nwom topsites version 3.0 **Description** The issue allows remote attackers to obtain potentially sensitive information by forcing a SQL error through the `o` parameter in index.php. This is achieved by including a ' (quote) character in the `o` parameter. **Recommendations** For Nwom topsites version 3.0, consider restricting access to the index.php file or validating user input for the `o` parameter to prevent SQL errors and potential information disclosure. As a temporary workaround, avoid using the `o` parameter in index.php until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Nwom topsites version 3.0 **Description** A cross-site scripting (XSS) issue exists, allowing remote attackers to inject arbitrary web script or HTML via the `o` parameter in the index.php file. **Recommendations** For Nwom topsites version 3.0, avoid using the `o` parameter in the index.php file until a fix is available. As a temporary workaround, consider validating and sanitizing user input to the `o` parameter to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Yet Another Link Directory version 1.0 **Description** A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via the `search` parameter in the yald.php file. This enables attackers to execute malicious scripts on the victim's browser. **Recommendations** For Yet Another Link Directory version 1.0, consider restricting access to the yald.php file or disabling the search functionality until a patch is available. As a temporary workaround, avoid using the `search` parameter in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Winged Gallery version 1.0 **Description** A cross-site scripting (XSS) issue exists, allowing remote attackers to inject arbitrary web script or HTML. This is achieved via the `image` parameter in the `/gallery/thumb.php` API endpoint. **Recommendations** For Winged Gallery version 1.0, consider restricting access to the `/gallery/thumb.php` endpoint until a patch is available, and avoid using the `image` parameter in this endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Garry Glendown Shopping Cart version 0.9 **Description** The issue allows remote attackers to inject arbitrary web script or HTML, which can lead to cross-site scripting (XSS) attacks. This is possible via the shop name field in editshop.php, edititem.php, and index.php, and via the item field in editshop.php and edititem.php. API Endpoints: - editshop.php - edititem.php - index.php Vulnerable Parameters or Variables: - `shop name` - `item` **Recommendations** For Garry Glendown Shopping Cart version 0.9, consider validating and sanitizing user input for the `shop name` and `item` fields in the affected API endpoints to prevent XSS attacks. As a temporary workaround, restrict access to editshop.php, edititem.php, and index.php to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Sport-slo Advanced Guestbook version 1.0 **Description** The issue concerns multiple cross-site scripting (XSS) vulnerabilities. These vulnerabilities allow remote attackers to inject arbitrary web script or HTML via the `name` and `form` parameters. **Recommendations** For Sport-slo Advanced Guestbook version 1.0, consider disabling the guestbook functionality until a patch is available to prevent exploitation of the XSS vulnerabilities. Restrict access to the guestbook.php file to minimize the risk of exploitation. Avoid using the `name` and `form` parameters in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Buddy Zone version 1.0.1 **Description** The issue allows remote attackers to inject arbitrary HTML and web script. This can be achieved via several parameters, including the `cat id` parameter to "view classifieds.php", the `id` parameter in "view ad.php", the `event id` parameter in "view event.php", "delete event.php", and "edit event.php", and the `group id` in "view group.php". **Recommendations** For Buddy Zone version 1.0.1, consider restricting access to the vulnerable parameters `cat id`, `id`, `event id`, and `group id` in the respective API endpoints until a patch is available. As a temporary workaround, avoid using these parameters in the affected endpoints.

**Name of the Vulnerable Software and Affected Versions** mAds version 1.0 **Description** A cross-site scripting (XSS) issue exists, allowing remote attackers to inject arbitrary web script or HTML via the `search string` in the search.php file. This could potentially lead to unauthorized actions on the affected system. **Recommendations** For mAds version 1.0, consider validating and sanitizing user input for the `search string` to prevent injection of malicious scripts or HTML. As a temporary workaround, restrict access to the search.php file until a proper fix is applied.

**Name of the Vulnerable Software and Affected Versions** PHP Classifieds (affected versions not specified) **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved by exploiting the `rate` parameter in the search.php file. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** PHP/MySQL Classifieds (affected versions not specified) **Description** The issue is related to a cross-site scripting (XSS) vulnerability in the AddAsset1.php file. This vulnerability allows remote attackers to execute arbitrary SQL commands by manipulating certain parameters, including the `ProductName` ("Title" field), `url`, and `Description` parameters. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Custom dating biz dating script version 1.0 **Description** A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via specific parameters. The vulnerable parameters include the `sn20 special cases` parameter in the "Special Cases" field of profile/mini.php, the `tyxx01 album name` parameter in the "Album Name" field of profile/photo create.php, and the `u` parameter in admin/user view.php. **Recommendations** For Custom dating biz dating script version 1.0, avoid using the `sn20 special cases`, `tyxx01 album name`, and `u` parameters in their respective API endpoints until a fix is available. As a temporary workaround, consider restricting access to the profile/mini.php, profile/photo create.php, and admin/user view.php pages to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Usenet Script version 0.5 **Description** A cross-site scripting issue exists, allowing remote attackers to inject arbitrary web script or HTML. This is achieved via the `group` parameter in the "index.php" file. **Recommendations** For version 0.5, update to a newer version that contains a fix for this issue to prevent exploitation. As a temporary workaround, consider restricting access to the `group` parameter in the "index.php" file until a patch is available.