Pouya_Server

Name of the Vulnerable Software and Affected Versions: Mini File Host version 1.5 Description: The issue allows remote attackers to execute arbitrary code by uploading a file with an executable extension and then accessing it via a direct request to the file in an unspecified directory. This can be demonstrated by creating a `name.php` file. Recommendations: For Mini File Host version 1.5, consider restricting or disabling file uploads until a patch is available to prevent the execution of arbitrary code. As a temporary workaround, restrict access to directories where uploaded files are stored to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Team Board versions 1.x **Description** The issue is related to a cross-site scripting (XSS) vulnerability. It allows remote attackers to inject arbitrary web script or HTML via the `lookname` parameter in the "online.asp" file. **Recommendations** For Team Board version 1.x, consider restricting access to the `lookname` parameter in the online.asp file to minimize the risk of exploitation. As a temporary workaround, avoid using the `lookname` parameter until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Team Board versions 1.x through 2.x **Description** The issue allows remote attackers to download a database containing credentials via a direct request for data/team.mdb, due to insufficient access control of sensitive information stored under the web root. **Recommendations** For versions 1.x through 2.x, consider restricting access to the data/team.mdb file to minimize the risk of exploitation. As a temporary workaround, limit direct requests to sensitive data stored under the web root until a proper fix is applied. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Ocean12 Contact Manager Pro version 1.02 Description: The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `Sort` parameter in the "default.asp" file. Recommendations: For Ocean12 Contact Manager Pro version 1.02, consider restricting access to the default.asp file until a patch is available. As a temporary workaround, avoid using the `Sort` parameter in the default.asp file to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Ocean12 Contact Manager Pro version 1.02 Description: A cross-site scripting issue exists, allowing remote attackers to inject arbitrary web script or HTML via the `DisplayFormat` parameter in the "default.asp" file. Recommendations: For Ocean12 Contact Manager Pro version 1.02, avoid using the `DisplayFormat` parameter in the default.asp file until a fix is available. As a temporary workaround, consider restricting access to the default.asp file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Katy Whitton BlogIt! (affected versions not specified) **Description** The issue is related to a cross-site scripting (XSS) vulnerability. This vulnerability allows remote attackers to inject arbitrary web script or HTML via the `view` parameter in the "index.asp" file. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Katy Whitton BlogIt! (affected versions not specified) **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved by exploiting the `day` parameter in an archive action within the index.asp file. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Katy Whitton BlogIt! (affected versions not specified) **Description** A SQL injection issue exists in the index.asp file of Katy Whitton BlogIt!, allowing remote attackers to execute arbitrary SQL commands. This is achieved by manipulating the `month` and `year` parameters. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** BlogIt! (affected versions not specified) **Description** The issue allows remote attackers to download a database file containing user credentials due to insufficient access control. This can be achieved via a direct request for the database file, specifically `database/Blog.mdb`. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Ocean12 Mailing List Manager Gold (affected versions not specified) **Description** The issue concerns the storage of sensitive data under the web root with insufficient access control. This allows remote attackers to download a database via a direct request for `o12mail.mdb`. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Ocean12 Mailing List Manager Gold (affected versions not specified) **Description** The issue concerns multiple SQL injection vulnerabilities. These vulnerabilities allow remote attackers to execute arbitrary SQL commands. The vulnerabilities can be exploited via the `Email` parameter to API endpoints such as "/default.asp" and "/s edit.asp". **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Ocean12 Mailing List Manager Gold version (affected versions not specified) **Description** A cross-site scripting (XSS) issue exists, allowing remote attackers to inject arbitrary web script or HTML via the `Email` parameter in the default.asp file. This could potentially lead to unauthorized actions on the web application. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Katy Whitton RankEm (affected versions not specified) **Description** A cross-site scripting (XSS) issue exists, allowing remote attackers to inject arbitrary web script or HTML via the `siteID` parameter in the "rankup.asp" file. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** RankEm (affected versions not specified) **Description** The issue allows remote attackers to download a database containing credentials due to insufficient access control. This is possible via a direct request for the database file. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** The Net Guys ASPired2Blog (affected versions not specified) **Description** A SQL injection issue exists, allowing remote attackers to execute arbitrary SQL commands. This is achieved by manipulating the `BlogID` parameter in the admin/blog comments.asp file. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ASP-DEv Internal E-Mail System (affected versions not specified) **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `login` parameter (also known as the `user` field) or the `password` parameter (also known as the `pass` field) in the login.asp file. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** The Net Guys ASPired2Blog (affected versions not specified) **Description** The issue allows remote attackers to download the database file containing usernames and passwords via a direct request for "admin/blog.mdb" due to insufficient access control. This enables unauthorized access to sensitive information stored under the web root. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** CodeAvalanche RateMySite (affected versions not specified) **Description** The issue allows remote attackers to download a database file containing the administrator password due to insufficient access control. This can be achieved via a direct request for the ` private/CARateMySite.mdb` file. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** The Net Guys ASPired2Quote (affected versions not specified) **Description** The issue allows remote attackers to download a database file containing usernames and passwords via a direct request for "admin/quote.mdb" due to insufficient access control. This is because sensitive information is stored under the web root. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** TAKempis Discussion Web version 4.0 **Description** The issue allows remote attackers to download a database file containing a password via a direct request for the ` private/discussion.mdb` file due to insufficient access control. This is because sensitive information is stored under the web root. **Recommendations** For TAKempis Discussion Web version 4.0, consider restricting access to the ` private/discussion.mdb` file to prevent unauthorized downloads until a proper fix is applied. Additionally, review and improve access controls for sensitive information stored under the web root.