Parad0X

**Name of the Vulnerable Software and Affected Versions** XHCMS version 1.0 **Description** A critical issue has been found in the POST Parameter Handler component of the login.php file, where the manipulation of the `user` argument leads to SQL injection. This issue can be initiated remotely. **Recommendations** For XHCMS version 1.0, consider restricting access to the login.php file or disabling the POST Parameter Handler component until a fix is available. Avoid using the `user` argument in the affected component to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** MyAlbum component (com myalbum) version 1.0 for Joomla! **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved by exploiting the `album` parameter to the `/index.php` API endpoint. **Recommendations** For MyAlbum component (com myalbum) version 1.0, avoid using the `album` parameter in the `/index.php` endpoint until the issue is resolved. Consider restricting access to the `/index.php` endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** PHPKB versions 1.5 through 2.0 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `ID` parameter in the comment.php file. **Recommendations** For PHPKB versions 1.5 through 2.0, update to a version that contains a fix for this issue. As a temporary workaround, consider restricting access to the comment.php file to minimize the risk of exploitation. Avoid using the `ID` parameter in the affected comment.php file until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Blog Pixel Motion (affected versions not specified) **Description** The issue allows remote attackers to execute arbitrary SQL commands via the `categorie` parameter to "index.php", possibly related to include/requetesIndex.php. This could be exploited to extract or modify sensitive data. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** NetVIOS Portal version not specified **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `NewsID` parameter in the "News/page.asp" endpoint. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.