Manuel García Cárdenas

**Name of the Vulnerable Software and Affected Versions** kama-clic-counter plugin version 3.4.9 **Description** The issue concerns SQL injection via the `order` parameter in the "admin.php" endpoint. This allows for potential exploitation by injecting malicious SQL code. **Recommendations** For kama-clic-counter plugin version 3.4.9, avoid using the `order` parameter in the "admin.php" endpoint until a fix is available. Consider temporarily restricting access to the admin.php endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** phpMyAdmin version 4.9.0.1 **Description** The issue is related to a CSRF problem that can be exploited by a remote attacker to delete any server on the Setup page. This allows for unauthorized actions on the database management system. **Recommendations** For phpMyAdmin version 4.9.0.1, consider restricting access to the Setup page as a temporary workaround until a patch is available. Additionally, ensure that all users of the system are aware of the potential for unauthorized server deletion to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Wechat Broadcast plugin versions 1.2.0 and earlier **Description** The issue allows Directory Traversal via the `url` parameter in the Image.php file. **Recommendations** For Wechat Broadcast plugin versions 1.2.0 and earlier, update to a version later than 1.2.0 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Localize My Post plugin version 1.0 **Description** The issue allows Directory Traversal via the `ajax/include.php` file parameter. **Recommendations** For Localize My Post plugin version 1.0, consider restricting access to the `ajax/include.php` file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Pie Register plugin versions prior to 3.0.10 **Description** The issue allows remote attackers to execute arbitrary SQL commands via the invitation codes grid, potentially leading to unauthorized data access or modification. **Recommendations** For versions prior to 3.0.10, update to version 3.0.10 or later to resolve the issue. As a temporary workaround, consider restricting access to the invitation codes grid until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Kodi versions through 17.6 **Description** A Persistent XSS issue exists that allows the execution of arbitrary HTML/script code in the context of the victim user's browser via a playlist. **Recommendations** For versions through 17.6, update to a version that contains a fix for this issue to prevent the execution of arbitrary code.

**Name of the Vulnerable Software and Affected Versions** Textpattern CMS versions 4.6.2 and earlier **Description** An issue allows SQL code injection in the `qty` variable on the "index.php" page. **Recommendations** For Textpattern CMS versions 4.6.2 and earlier, update to a version later than 4.6.2 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** SyncBreeze versions 10.2.12 and earlier **Description** The issue is related to a Remote Denial of Service. It occurs because the web server does not check bounds when reading server requests in the Host header, resulting in a Buffer Overflow that causes a Denial of Service. **Recommendations** For SyncBreeze versions 10.2.12 and earlier, update to a version later than 10.2.12 to resolve the issue. As a temporary workaround, consider restricting access to the web server to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Exponent CMS versions prior to 2.4.0 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This can be achieved via the `id` parameter in an "activate address" address controller action, the `title` parameter in a "show" blog controller action, or the `content id` parameter in a "showComments" expComment controller action. **Recommendations** For versions prior to 2.4.0, update to version 2.4.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the affected controller actions until the update is applied. Avoid using the `id`, `title`, and `content id` parameters in the respective actions until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Piwigo versions prior to 2.5.5 Piwigo versions 2.6.x prior to 2.6.4 Piwigo versions 2.7.x prior to 2.7.2 **Description** The issue allows remote attackers to execute arbitrary SQL commands via the `rate` parameter to "picture.php". This is related to an improper data type in a comparison of a non-numeric value that begins with a digit in the `rate picture` function. **Recommendations** For versions prior to 2.5.5, update to version 2.5.5 or later. For versions 2.6.x prior to 2.6.4, update to version 2.6.4 or later. For versions 2.7.x prior to 2.7.2, update to version 2.7.2 or later.

**Name of the Vulnerable Software and Affected Versions** XAMPP version 1.8.1 **Description** The issue allows remote attackers to execute cross-site scripting (XSS) attacks by modifying xampp/lang.tmp via the `WriteIntoLocalDisk` method due to improper access restriction to xampp/lang.php. **Recommendations** For XAMPP version 1.8.1, consider restricting access to the xampp/lang.php file and avoid using the `WriteIntoLocalDisk` method until a patch is available.