Mg

**Name of the Vulnerable Software and Affected Versions** WmsCms versions 2.0 and earlier **Description** The issue allows remote attackers to inject arbitrary web script or HTML via the `search`, `sbr`, `p`, and `sbl` parameters in the default.asp file. This can be exploited by attackers to inject malicious scripts. **Recommendations** For WmsCms versions 2.0 and earlier, consider restricting access to the default.asp file until a fix is available. As a temporary workaround, avoid using the `search`, `sbr`, `p`, and `sbl` parameters in the default.asp file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** WmsCms versions 2.0 and earlier **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via several parameters to different API endpoints, including the `search`, `sbr`, `pid`, `sbl`, and `FilePath` parameters to "default.asp", and the `sbr`, `pr`, and `psPrice` parameters to "printpage.asp". **Recommendations** For WmsCms versions 2.0 and earlier, consider restricting access to the default.asp and printpage.asp endpoints until a patch is available. As a temporary workaround, avoid using the `search`, `sbr`, `pid`, `sbl`, `FilePath`, `pr`, and `psPrice` parameters in the affected API endpoints. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** KR MEDIA Pogodny CMS (affected versions not specified) **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `id` parameter in a "niusy" action in the index.php file. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.