Mr_Kaliman

Name of the Vulnerable Software and Affected Versions: Xt-News version 0.1 Description: The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `id news` parameter in the show news.php file. Recommendations: For Xt-News version 0.1, consider restricting access to the show news.php file until a patch is available, and avoid using the `id news` parameter in this file to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Xt-News version 0.1 Description: The issue concerns multiple cross-site scripting (XSS) vulnerabilities. These vulnerabilities allow remote attackers to inject arbitrary web script or HTML. The `id news` parameter in the API endpoints, such as "add comment.php" and "show news.php", is vulnerable to such injections. Recommendations: For Xt-News version 0.1, as a temporary workaround, consider restricting access to the `id news` parameter in the "add comment.php" and "show news.php" API endpoints until a patch is available. Avoid using the `id news` parameter in these endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** GenesisTrader version 1.0 **Description** The issue allows remote attackers to read source code for arbitrary files and obtain sensitive information. This is achieved via the `do` and `chem` parameters with a `modfich` parameter set to "floap". **Recommendations** For GenesisTrader version 1.0, consider restricting access to the form.php file until a patch is available. As a temporary workaround, avoid using the `do` and `chem` parameters with the `modfich` parameter set to "floap" to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** GenesisTrader version 1.0 **Description** The issue concerns multiple cross-site scripting (XSS) vulnerabilities. These vulnerabilities allow remote attackers to inject arbitrary web script or HTML via vulnerable parameters, including `cuve`, `chem`, and `do`. **Recommendations** For GenesisTrader version 1.0, avoid using the parameters `cuve`, `chem`, and `do` in the form.php file until a fix is available. As a temporary workaround, consider restricting access to the form.php file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** GenesisTrader version 1.0 **Description** The issue concerns an unrestricted file upload vulnerability. This vulnerability allows remote authenticated users to upload arbitrary files. The vulnerability possibly involves form.php and the `ajoutfich` action with the `foap` parameter. **Recommendations** For GenesisTrader version 1.0, consider restricting access to the upload.php file and the `ajoutfich` action in form.php to prevent arbitrary file uploads until a fix is available. As a temporary workaround, restrict the use of the `foap` action to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Messageriescripthp version 2.0 **Description** The issue allows remote attackers to inject arbitrary web script or HTML, potentially leading to security breaches. This can be achieved via several parameters, including the `pseudo` parameter to "existepseudo.php", the `email` parameter to "existeemail.php", or the `pageName` or `cssform` parameters to "Contact/contact.php". **Recommendations** For Messageriescripthp version 2.0, consider validating and sanitizing user input for the `pseudo`, `email`, `pageName`, and `cssform` parameters to prevent arbitrary script injection. As a temporary workaround, restrict access to the affected scripts, "existepseudo.php", "existeemail.php", and "Contact/contact.php", until a proper fix is applied.

**Name of the Vulnerable Software and Affected Versions** ProNews version 1.5 **Description** The issue allows remote attackers to inject arbitrary web script or HTML via several parameters, including `pseudo`, `email`, `date`, `sujet`, `message`, `site`, `lien`, and `aa`, to specific API endpoints, such as "admin/change.php" and "lire-avis.php". **Recommendations** For ProNews version 1.5, consider restricting access to the "admin/change.php" and "lire-avis.php" endpoints until a patch is available. As a temporary workaround, avoid using the parameters `pseudo`, `email`, `date`, `sujet`, `message`, `site`, `lien`, and `aa` in the affected API endpoints.

**Name of the Vulnerable Software and Affected Versions** ProNews version 1.5 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `aa` parameter in the 'lire-avis.php' file. **Recommendations** For ProNews version 1.5, consider restricting access to the 'lire-avis.php' file or validating and sanitizing the `aa` parameter to prevent SQL injection attacks. As a temporary workaround, restrict the use of the `aa` parameter in the 'lire-avis.php' file until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Messageriescripthp version 2.0 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `aa` parameter in the "lire-avis.php" file. **Recommendations** For Messageriescripthp version 2.0, consider restricting access to the `lire-avis.php` file until a patch is available, and avoid using the `aa` parameter in this file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** AnnonceScriptHP version 2.0 **Description** The issue allows remote attackers to obtain sensitive information, specifically disclosing passwords for arbitrary users, by exploiting the `idmembre` parameter in the 'admin/admin membre/fiche membre.php' file. **Recommendations** For AnnonceScriptHP version 2.0, as a temporary workaround, consider restricting access to the 'admin/admin membre/fiche membre.php' file until a patch is available. Avoid using the `idmembre` parameter in the affected file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** AnnonceScriptHP version 2.0 **Description** The issue allows remote attackers to inject arbitrary web script or HTML via the `email` parameter in several files, including "erreurinscription.php", "Templates/admin.dwt.php", "Templates/commun.dwt.php", "membre.dwt.php", and "admin/admin config/Aide.php". This can lead to cross-site scripting (XSS) attacks. **Recommendations** For AnnonceScriptHP version 2.0, consider validating and sanitizing the `email` parameter in the affected files to prevent arbitrary web script or HTML injection. As a temporary workaround, restrict access to the vulnerable files until a patch is available.

**Name of the Vulnerable Software and Affected Versions** AnnonceScriptHP version 2.0 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This can be achieved via several parameters in different files, including the `id` parameter in "email.php", the `no` parameter in "voirannonce.php", the `idmembre` parameter in "admin/admin membre/fiche membre.php", and the `idannonce` parameter in "admin/admin annonce/okvalannonce.php" and "admin/admin annonce/changeannonce.php". **Recommendations** For AnnonceScriptHP version 2.0, consider restricting access to the vulnerable parameters `id`, `no`, `idmembre`, and `idannonce` in the respective files until a patch is available. As a temporary workaround, disabling the execution of SQL commands from these parameters can help minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** @lex Guestbook version 4.0.1 **Description** A cross-site scripting (XSS) issue exists, allowing remote attackers to inject arbitrary web script or HTML via the `skin` parameter in the index.php file. **Recommendations** For @lex Guestbook version 4.0.1, consider restricting access to the `skin` parameter in the index.php file until a patch is available. As a temporary workaround, avoid using the `skin` parameter in the affected endpoint.

**Name of the Vulnerable Software and Affected Versions** @lex Guestbook version 4.0.1 **Description** The issue allows remote attackers to obtain sensitive information via a `skin` parameter referencing a nonexistent skin, which reveals the installation path in an error message. **Recommendations** For @lex Guestbook version 4.0.1, consider restricting access to the `index.php` file until a patch is available, or avoid using the `skin` parameter with nonexistent skin references to minimize the risk of exploitation.