Panghusec

**Name of the Vulnerable Software and Affected Versions** MetInfo version 6.1.0 **Description** The issue concerns SQL injection in the `doexport()` function, located in the `app/system/feedback/admin/feedback admin.class.php` file, which is vulnerable via the `class1` field. **Recommendations** For MetInfo version 6.1.0, update to a newer version that contains a fix for this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** PHPMyWind version 5.5 **Description** The issue concerns a cross-site scripting (XSS) problem. It can be triggered via an HTTP Referer header in the member.php file. **Recommendations** For PHPMyWind version 5.5, update the member.php file to properly validate and sanitize the HTTP Referer header to prevent XSS attacks.

**Name of the Vulnerable Software and Affected Versions** PHPMyWind version 5.5 **Description** The issue allows admin users to execute arbitrary code via the `varvalue` field in the admin/web config.php file. **Recommendations** For PHPMyWind version 5.5, restrict access to the admin/web config.php file to prevent exploitation. As a temporary workaround, consider disabling the ability to modify the `varvalue` field in this file until a patch is available.

**Name of the Vulnerable Software and Affected Versions** PHPMyWind version 5.5 **Description** The issue allows admin users to execute arbitrary code via the `attrvalue[]` array parameter in the 'admin/goods update.php' file. **Recommendations** For PHPMyWind version 5.5, avoid using the `attrvalue[]` array parameter in the 'admin/goods update.php' file until a patch is available. Restrict access to the 'admin/goods update.php' file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** PHPMyWind version 5.5 **Description** The issue allows admin users to execute arbitrary code via the rewrite url setting in the admin/web config.php file. **Recommendations** For PHPMyWind version 5.5, restrict access to the admin/web config.php file and the rewrite url setting to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** PHPMyWind version 5.5 **Description** The issue allows admin users to execute arbitrary code by manipulating the `cfg author` field in conjunction with a crafted `cfg webpath` field in the admin/web config.php file. **Recommendations** For PHPMyWind version 5.5, consider restricting access to the admin/web config.php file until a patch is available, and avoid using the `cfg author` and `cfg webpath` fields in conjunction to minimize the risk of exploitation.