Nomenumbra

**Name of the Vulnerable Software and Affected Versions** Chipmunk Blogger (affected versions not specified) **Description** The issue concerns multiple cross-site scripting (XSS) vulnerabilities. These vulnerabilities allow remote authenticated users to inject arbitrary web script or HTML via `script` tags in posts and profile names. Additionally, a `javascript` URI in a URL argument in the photo gallery can be exploited. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** PHP-AGTC Membership System versions 1.1a and earlier **Description** The issue concerns a cross-site scripting (XSS) vulnerability. It allows remote attackers to inject arbitrary web script or HTML via the `useremail` parameter in the adduser.php file. **Recommendations** For PHP-AGTC Membership System versions 1.1a and earlier, consider validating and sanitizing user input for the `useremail` parameter to prevent XSS attacks. As a temporary workaround, restrict access to the adduser.php file until a patch is available.

**Name of the Vulnerable Software and Affected Versions** ByteHoard versions 2.1 and earlier **Description** The issue allows remote authenticated users to create or overwrite files in other users' directories. This is achieved by specifying the absolute path of the directory in the `infolder` parameter and simultaneously specifying the filename in the `filepath` parameter in the copy action in index.php. **Recommendations** For ByteHoard versions 2.1 and earlier, as a temporary workaround, consider restricting access to the copy action in index.php until a patch is available. Avoid using the `infolder` and `filepath` parameters in the copy action to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ByteHoard versions 2.1 and earlier **Description** A cross-site scripting (XSS) issue allows remote authenticated users to inject arbitrary web script or HTML via file descriptions. This could potentially lead to unauthorized actions on the affected system. **Recommendations** For ByteHoard versions 2.1 and earlier, update to a version later than 2.1 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Russcom.Ping (affected versions not specified) **Description** The issue allows remote attackers to execute arbitrary commands via shell metacharacters in the `domain` parameter of the ping.php file. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SkyeBox version 1.2.0 **Description** The issue concerns multiple cross-site scripting (XSS) vulnerabilities. These vulnerabilities allow remote attackers to inject arbitrary web script or HTML. The `name` and `message` parameters are specifically vulnerable to such injections. **Recommendations** For SkyeBox version 1.2.0, avoid using the `name` and `message` parameters in the post.php file until a fix is available. As a temporary workaround, consider validating and sanitizing user input for these parameters to prevent malicious script injections.

**Name of the Vulnerable Software and Affected Versions** Chatty versions prior to the fixed version **Description** A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via the `username`. This could potentially lead to unauthorized actions on behalf of the user. **Recommendations** For versions prior to the fixed version, update to the latest version to resolve the issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Russcom PHPImages (affected versions not specified) **Description** The issue allows remote attackers to upload files of arbitrary types by uploading a file with a .gif extension. However, due to a lack of specific information about attack vectors, it is unclear whether this is a vulnerability. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** PassMasterFlex versions 1.2 and earlier PassMasterFlexPlus versions 1.2 and earlier **Description** A cross-site scripting issue allows remote attackers to inject arbitrary web script or HTML via the `username`, `password`, or `User-Agent` HTTP header in the Hack Log. **Recommendations** For PassMasterFlex versions 1.2 and earlier, update to a version later than 1.2. For PassMasterFlexPlus versions 1.2 and earlier, update to a version later than 1.2. As a temporary workaround, consider restricting input for the `username` and `password` fields, as well as limiting the information sent in the `User-Agent` HTTP header, until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Website Baker CMS versions prior to 2.6.4 **Description** A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via a user display name. **Recommendations** For versions prior to 2.6.4, update to version 2.6.4 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Vision Source versions 0.6 and earlier **Description** The issue allows remote attackers to inject arbitrary web script or HTML via the fields in a user's profile, which can lead to cross-site scripting (XSS) attacks. **Recommendations** For Vision Source versions 0.6 and earlier, consider restricting user input in profile fields to minimize the risk of exploitation until a fix is available.

**Name of the Vulnerable Software and Affected Versions** X7 Chat versions 2.0.2 and earlier **Description** A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via a javascript URI in the URL of an avatar. This is possibly related to the `avatar` parameter in the `register.php` file. **Recommendations** For versions 2.0.2 and earlier, as a temporary workaround, consider restricting access to the `register.php` file or disabling the `avatar` parameter to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** myWebland MyBloggie versions 2.1.3 and earlier **Description** A cross-site scripting issue allows remote attackers to inject arbitrary web script or HTML via a JavaScript event in a BBCode `img` tag. **Recommendations** For versions 2.1.3 and earlier, update to a version later than 2.1.3 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** FlexCustomer versions 0.0.4 and earlier FlexCustomer version 0.0.6 **Description** The issue allows remote attackers to bypass authentication and execute arbitrary SQL commands. This is likely related to the `checkuser` and `checkpass` parameters in the "admin/index.php" endpoint, as well as the `username` and `password` parameters in the "index.php" endpoint. **Recommendations** For FlexCustomer versions 0.0.4 and earlier, and version 0.0.6, consider disabling access to the "admin/index.php" and "index.php" endpoints until a fix is available. Restrict the use of the `checkuser`, `checkpass`, `username`, and `password` parameters to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** TyroCMS version beta 1.0 **Description** The issue allows remote attackers to inject arbitrary web script or HTML, potentially leading to cross-site scripting (XSS) attacks. This can be achieved through various means, including using a javascript URI in an `img` BBCode tag, or a JavaScript event in a `url` BBCode tag or `color` BBCode tag. **Recommendations** For TyroCMS version beta 1.0, consider disabling the use of BBCode tags, specifically `img`, `url`, and `color`, until a fix is available to prevent the injection of arbitrary web script or HTML. Restrict access to these features to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** SloughFlash SF-Users version 1.0 **Description** The issue is related to a cross-site scripting (XSS) vulnerability, which allows remote attackers to inject arbitrary web script or HTML. This can be achieved by setting the `username` field to contain JavaScript in the SRC attribute of an IMG element, potentially in the `register.php` file. **Recommendations** For SloughFlash SF-Users version 1.0, consider restricting the input for the `username` field to prevent injection of malicious scripts until a patch is available. As a temporary workaround, restrict access to the `register.php` file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** CMScout versions 1.10 and earlier **Description** The issue allows remote attackers to inject arbitrary web script or HTML via the `Body` field of a private message, `BBCode`, or a forum post. This can lead to cross-site scripting (XSS) attacks. **Recommendations** For CMScout versions 1.10 and earlier, update to a version later than 1.10 to resolve the issue. As a temporary workaround, consider restricting user input in the `Body` field of private messages, `BBCode`, and forum posts to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** FileProtection Express versions 1.0.1 and earlier **Description** The issue allows remote attackers to bypass authentication by manipulating a cookie with an `Admin` value of `1`. **Recommendations** For FileProtection Express versions 1.0.1 and earlier, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Jupiter Content Manager versions 1.1.5 and earlier **Description** A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via a Javascript URI in the `image` BBcode tag. This could potentially lead to unauthorized actions on the affected system. **Recommendations** For Jupiter Content Manager versions 1.1.5 and earlier, update to a version later than 1.1.5 to resolve the issue. As a temporary workaround, consider restricting the use of the `image` BBcode tag until a patch is available.