Or4Ng.M4N

**Name of the Vulnerable Software and Affected Versions** Lost and Found Information System version 1.0 **Description** The issue allows account takeover via `username` and `password` to a "/classes/Users.php?f=save" API endpoint. **Recommendations** For Lost and Found Information System version 1.0, consider disabling access to the "/classes/Users.php?f=save" API endpoint until a patch is available. Restrict the use of `username` and `password` parameters in this endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Pragyan CMS versions 3.0 and earlier **Description** The issue allows remote attackers to read arbitrary files via a .. (dot dot) in the `fileget` parameter in a profile action to "index.php". This is a directory traversal vulnerability in download.lib.php. **Recommendations** For Pragyan CMS versions 3.0 and earlier, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** php ireport version 1.0 **Description** The issue allows remote attackers to inject arbitrary web script or HTML via the `message` parameter to specific API endpoints, including "messages viewer.php", "home.php", or "history.php". This can lead to cross-site scripting (XSS) attacks. **Recommendations** For php ireport version 1.0, as a temporary workaround, consider restricting access to the "messages viewer.php", "home.php", and "history.php" endpoints until a patch is available. Avoid using the `message` parameter in these affected endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** IDevSpot iSupport versions 1.x **Description** A cross-site request forgery issue allows remote attackers to hijack the authentication of administrators for requests that add administrator accounts via an administrators action. This occurs in the admin/function.php file. **Recommendations** For IDevSpot iSupport versions 1.x, consider disabling the administrators action in the admin/function.php file until a patch is available to prevent exploitation. Restrict access to the admin/function.php file to minimize the risk of unauthorized administrator account additions.

**Name of the Vulnerable Software and Affected Versions** miniCMS versions 1.0 through 2.0 **Description** The issue allows remote attackers to execute arbitrary PHP code via crafted `pagename` or `area` variables containing executable extensions. This is due to improper handling by `update.php` when writing files to `content/`, or by `updatenews.php` when writing files to `content/news/`. **Recommendations** For miniCMS versions 1.0 through 2.0, consider disabling the `update.php` and `updatenews.php` scripts until a patch is available to prevent arbitrary PHP code execution. Restrict access to the `content/` and `content/news/` directories to minimize the risk of exploitation. Avoid using the `pagename` and `area` variables in the affected scripts until the issue is resolved.