O0Xxdark0O

**Name of the Vulnerable Software and Affected Versions** phpMyInventory version 2.8 **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in the `strIncludePrefix` parameter in the Includes/global.inc.php file. **Recommendations** For phpMyInventory version 2.8, consider restricting access to the `strIncludePrefix` parameter to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Sitellite CMS versions 4.2.12 and earlier Description: A remote file inclusion issue might allow remote attackers to execute arbitrary PHP code via a URL in the `FORUM[LIB]` parameter. By default, access to the PhpDocumentor directory tree is blocked by .htaccess. Recommendations: For Sitellite CMS versions 4.2.12 and earlier, as a temporary workaround, consider restricting access to the PhpDocumentor directory tree to minimize the risk of exploitation. Avoid using the `FORUM[LIB]` parameter in affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Idan Sofer PHP::HTML version 0.6.4 Description: The issue allows remote attackers to execute arbitrary PHP code via a URL in the `htmlclass path` parameter. This can be exploited by providing a malicious URL to the vulnerable parameter, potentially leading to code execution. Recommendations: For Idan Sofer PHP::HTML version 0.6.4, avoid using the `htmlclass path` parameter with untrusted input until a fix is available. Consider restricting access to the phphtml.php file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Kawf versions 1.0 and earlier **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in the `config` parameter in (1) "main.php" or (2) "user/account/main.php". **Recommendations** For Kawf versions 1.0 and earlier, as a temporary workaround, consider restricting access to the "main.php" and "user/account/main.php" files until a patch is available. Avoid using the `config` parameter in these files to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** LoCal Calendar System version 1.1 **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in the `LIBDIR` parameter in lib/lcUser.php. **Recommendations** For LoCal Calendar System version 1.1, consider restricting access to the `LIBDIR` parameter to minimize the risk of exploitation. Avoid using the `LIBDIR` parameter in the affected API endpoint until the issue is resolved.