Qtrinux

**Name of the Vulnerable Software and Affected Versions** Airvae Commerce version 3.0 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `pid` parameter in the "index.php" endpoint. **Recommendations** For Airvae Commerce version 3.0, update to a newer version that contains a fix for this issue. As a temporary workaround, consider restricting access to the `pid` parameter in the "index.php" endpoint until a patch is available.

**Name of the Vulnerable Software and Affected Versions** iTechBids versions 3 Gold and 5.0 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `item id` parameter in the "bidhistory.php" file. **Recommendations** For iTechBids version 3 Gold, avoid using the `item id` parameter in the affected "bidhistory.php" file until the issue is resolved. For iTechBids version 5.0, restrict access to the "bidhistory.php" file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Lama Software (affected versions not specified) **Description** The issue concerns remote file inclusion vulnerabilities in Lama Software, allowing remote attackers to execute arbitrary PHP code. This can be achieved by providing a URL in the `MY CONF[classRoot]` parameter to specific PHP files, including `inc.steps.access error.php`, `inc.steps.check login.php`, or `inc.steps.init system.php` in the `admin/functions/` directory. **Recommendations** As a temporary workaround, consider restricting access to the `admin/functions/` directory to minimize the risk of exploitation. Avoid using the `MY CONF[classRoot]` parameter in the affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: phpRealty version 0.02 Description: The issue allows remote attackers to execute arbitrary PHP code. This can be achieved by providing a URL in the `MGR` parameter to specific API endpoints, including `/index.php`, `/p ins.php`, and `/u ins.php` in the `manager/admin/` directory. Recommendations: For phpRealty version 0.02, consider restricting access to the `manager/admin/` directory and its associated API endpoints, such as `/index.php`, `/p ins.php`, and `/u ins.php`, to minimize the risk of exploitation. Avoid using the `MGR` parameter in these endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Sisfo Kampus 2006 Description: The issue allows remote attackers to read arbitrary local files and possibly execute local PHP scripts via the `nmf` parameter in blanko.preview.php. Recommendations: For Sisfo Kampus 2006, consider restricting access to the `nmf` parameter in the blanko.preview.php file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.