Nima Salehi

**Name of the Vulnerable Software and Affected Versions** PHP (affected versions not specified) **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in the `phpbb root path` parameter in the includes/not mem.php file of the Add Name module for PHP. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Leicestershire communityPortals versions 1.0 build 20051018 and earlier **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in the `cp root path` parameter. This is a different vector than previously identified issues. **Recommendations** For versions 1.0 build 20051018 and earlier, consider restricting access to the `bug.php` file until a fix is available. Avoid using the `cp root path` parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** phpBB Insert User versions 0.1.2 and earlier **Description** A remote file inclusion issue allows attackers to execute arbitrary PHP code via a URL in the `phpbb root path` parameter. This can be exploited by providing a malicious URL, potentially leading to code execution on the vulnerable system. **Recommendations** For phpBB Insert User versions 0.1.2 and earlier, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** phpBB Security versions 1.0.1 and earlier **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in the `php root path` parameter. This can be achieved by manipulating the `php root path` parameter in the phpbb security.php file. **Recommendations** For versions 1.0.1 and earlier, update to a version later than 1.0.1 to resolve the issue. As a temporary workaround, consider restricting access to the `phpbb security.php` file to minimize the risk of exploitation. Avoid using the `php root path` parameter in the affected file until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** phpBB module News Defilante Horizontale versions 4.1.1 and earlier **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in the `phpbb root path` parameter. This is a result of a PHP remote file inclusion vulnerability in the `includes/functions newshr.php` file of the affected module. **Recommendations** For versions 4.1.1 and earlier, consider restricting access to the `includes/functions newshr.php` file to minimize the risk of exploitation. Avoid using the `phpbb root path` parameter in URLs until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** phpBB (affected versions not specified) **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in the `phpbb root path` parameter in the archive/archive topic.php file of the SearchIndexer module for phpBB. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** phpBB module PlusXL versions 20 272 and earlier **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in the `phpbb root path` parameter. This is a result of a PHP remote file inclusion vulnerability in the mods/iai/includes/constants.php file of the affected phpBB module. **Recommendations** For versions 20 272 and earlier, consider restricting access to the `mods/iai/includes/constants.php` file to minimize the risk of exploitation. Avoid using the `phpbb root path` parameter in URLs until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** phpBB module SpamOborona versions 1.0b and earlier **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in the `phpbb root path` parameter in the admin/admin spam.php file. **Recommendations** For versions 1.0b and earlier, update to a version later than 1.0b to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** phpBB Prillian French module versions 0.8.0 and earlier **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in the `phpbb root path` parameter in the language/lang french/lang prillian faq.php file. **Recommendations** For phpBB Prillian French module versions 0.8.0 and earlier, consider restricting access to the `lang prillian faq.php` file until a patch is available. Avoid using the `phpbb root path` parameter in the affected module to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** phpBB Journals System module versions 1.0.2 (RC2) and earlier **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in the `phpbb root path` parameter in several PHP files, including includes/journals delete.php, includes/journals post.php, and includes/journals edit.php. **Recommendations** For phpBB Journals System module versions 1.0.2 (RC2) and earlier, consider disabling the `includes/journals delete.php`, `includes/journals post.php`, and `includes/journals edit.php` files until a patch is available to prevent remote attackers from executing arbitrary PHP code. Restrict access to the `phpbb root path` parameter to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** phpbb module lat2cyr versions 1.0.1 and earlier **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in the `phpbb root path` parameter. This is a result of a PHP remote file inclusion vulnerability in the lat2cyr.php file. **Recommendations** For versions 1.0.1 and earlier, consider disabling the lat2cyr module until a patch is available to prevent exploitation. Restrict access to the `lat2cyr.php` file to minimize the risk of arbitrary PHP code execution. Avoid using the `phpbb root path` parameter in the affected module until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** SpamBlockerMODv module for phpBB versions 1.0.2 and earlier **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in the `phpbb root path` parameter. This is a result of a PHP remote file inclusion vulnerability in the includes/antispam.php file of the SpamBlockerMODv module for phpBB. **Recommendations** For SpamBlockerMODv module for phpBB versions 1.0.2 and earlier, consider disabling the `includes/antispam.php` file or restricting access to it until a patch is available. Avoid using the `phpbb root path` parameter in the affected module to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** pnews versions 2.6.4 and earlier **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in the `CFG[auth phpbb path]` parameter in the auth/phpbb.inc.php file. This can be exploited by providing a malicious URL. **Recommendations** For versions 2.6.4 and earlier, consider disabling the `CFG[auth phpbb path]` parameter or restricting its use to minimize the risk of exploitation until a fix is available.

**Name of the Vulnerable Software and Affected Versions** phpMyAgenda versions 3.1 and earlier **Description** The issue allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the `language` parameter. This can be demonstrated by a parameter value naming an Apache HTTP Server log file that apparently contains PHP code. **Recommendations** For phpMyAgenda versions 3.1 and earlier, consider restricting access to the `templates/header.php3` file until a patch is available. As a temporary workaround, avoid using the `language` parameter in the affected endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.