Manuel López

**Name of the Vulnerable Software and Affected Versions** News Manager Lite version 2.5 **Description** The issue allows remote attackers to inject arbitrary web script or HTML, which can lead to cross-site scripting (XSS) attacks. This is possible via the `email` parameter to "comment add.asp", the `search` parameter to "search.asp", or the `n` parameter to "category news headline.asp". **Recommendations** For News Manager Lite version 2.5, consider disabling the comment add.asp, search.asp, and category news headline.asp pages until a patch is available. Restrict access to these pages to minimize the risk of exploitation. Avoid using the `email`, `search`, and `n` parameters in the affected API endpoints until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** A-CART Pro version 2.0 A-CART version 2.0 **Description** The issue allows remote attackers to gain privileges via the `catcode` parameter in the "category.asp" file. **Recommendations** For A-CART Pro version 2.0, update the category.asp file to properly sanitize the `catcode` parameter. For A-CART version 2.0, update the category.asp file to properly sanitize the `catcode` parameter.

**Name of the Vulnerable Software and Affected Versions** A-CART Pro (affected versions not specified) A-CART 2.0 (affected versions not specified) **Description** The issue concerns multiple cross-site scripting (XSS) vulnerabilities. These vulnerabilities are located in the deliver.asp and billing.asp files. They allow remote attackers to inject arbitrary web script or HTML via the user information forms. **Recommendations** For A-CART Pro, update the deliver.asp and billing.asp files to prevent XSS injections. For A-CART 2.0, update the deliver.asp and billing.asp files to prevent XSS injections.

**Name of the Vulnerable Software and Affected Versions** Member Management System version 2.1 **Description** The issue allows remote attackers to execute arbitrary SQL commands via the `ID` parameter to API endpoints such as "resend.asp" or "news view.asp". **Recommendations** For Member Management System version 2.1, avoid using the `ID` parameter in the affected API endpoints until the issue is resolved. As a temporary workaround, consider restricting access to the "resend.asp" and "news view.asp" endpoints to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** PHPX version 3.2.3 **Description** A cross-site scripting issue allows remote attackers to execute arbitrary scripts as other users. This can be achieved by injecting arbitrary HTML or script into specific areas, including the `keywords` argument of `main.inc.php`, the `body` argument of `help.inc.php`, or the `subject` field in Personal Messages and Forum. **Recommendations** For PHPX version 3.2.3, as a temporary workaround, consider restricting access to the `main.inc.php` and `help.inc.php` files, and limit user input in the subject field of Personal Messages and Forum to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** MaxWebPortal (affected versions not specified) **Description** The issue concerns multiple cross-site scripting vulnerabilities in MaxWebPortal. These vulnerabilities allow remote attackers to execute arbitrary web script as other users. The vulnerabilities can be exploited through various means, including the `sub name` parameter of 'dl showall.asp', the `SendTo` parameter in Personal Messages, the `HTTP REFERER` for 'down.asp', or the image name of an Avatar in the register form. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.