Sid3^Effects

**Name of the Vulnerable Software and Affected Versions** SchoolMation version 2.3 **Description** A cross-site scripting (XSS) issue exists, allowing remote attackers to inject arbitrary web script or HTML via the `session` parameter in the /html/studentmain.php file. **Recommendations** For SchoolMation version 2.3, update the software to a version that fixes this issue, ensuring that the /html/studentmain.php file is secured against XSS attacks by properly sanitizing the `session` parameter.

**Name of the Vulnerable Software and Affected Versions** iScripts eSwap version 2.0 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `type` parameter in the "addsale.php" file. **Recommendations** For iScripts eSwap version 2.0, consider restricting access to the addsale.php file until a patch is available, and avoid using the `type` parameter in this file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** iScripts eSwap version 2.0 **Description** A cross-site scripting (XSS) issue exists, allowing remote attackers to inject arbitrary web script or HTML. This is achieved via the `txtHomeSearch` parameter in the "search.php" file, which is also referred to as the search field. **Recommendations** For iScripts eSwap version 2.0, consider restricting access to the `txtHomeSearch` parameter in the search.php file to minimize the risk of exploitation. As a temporary workaround, avoid using the `txtHomeSearch` parameter until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** iScripts EasyBiller version 1.1 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `planid` parameter in the "viewhistorydetail.php" file. **Recommendations** For iScripts EasyBiller version 1.1, consider restricting access to the `viewhistorydetail.php` file until a patch is available, and avoid using the `planid` parameter in this file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** 2daybiz Online Classified Script (affected versions not specified) **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `alb` parameter in the view photo.php file. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** 2daybiz Network Community Script (affected versions not specified) **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `alb` parameter in the view photo.php file. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Mckenzie Creations Virtual Real Estate Manager (VRM) version 3.5 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved by exploiting the `Lid` parameter in the `listing detail.asp` file. **Recommendations** For version 3.5, consider restricting access to the `listing detail.asp` file until a patch is available. As a temporary workaround, avoid using the `Lid` parameter in the affected file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** SchoolMation version 2.3 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `session` parameter in the `/html/studentmain.php` endpoint. **Recommendations** For SchoolMation version 2.3, consider restricting access to the `/html/studentmain.php` endpoint until a patch is available, and avoid using the `session` parameter in this endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Simple Document Management System (SDMS) (affected versions not specified) **Description** A SQL injection issue in the detail.php file of SDMS allows remote attackers to execute arbitrary SQL commands by manipulating the `doc id` parameter. **Recommendations** For SDMS, consider restricting access to the detail.php file until a patch is available, and avoid using the `doc id` parameter in the affected endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** com autartimonial version 1.0.8 **Description** The issue allows remote attackers to execute arbitrary SQL commands via the `limit` parameter in an autartimonial action to "index.php". This enables attackers to manipulate the database by injecting malicious SQL code. **Recommendations** For version 1.0.8, consider restricting access to the autartimonial action in index.php to minimize the risk of exploitation. Avoid using the `limit` parameter in the autartimonial action until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Joomla! component NeoRecruit (com neorecruit) version 1.6.4 **Description** A SQL injection issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `Itemid` parameter in an `offer view` action to "index.php". **Recommendations** For version 1.6.4, consider restricting access to the `offer view` action in "index.php" to minimize the risk of exploitation. Avoid using the `Itemid` parameter in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Joomla! Payments Plus component version 2.1.5 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `type` parameter to the "add.html" endpoint. **Recommendations** For version 2.1.5, consider restricting access to the "add.html" endpoint until a patch is available, and avoid using the `type` parameter in this endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Joomla! component com ninjamonials (affected versions not specified) **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved by exploiting the `Itemid` parameter in a "display" action to "index.php". **Recommendations** For the affected version, consider restricting access to the vulnerable component until a patch is available. Avoid using the `Itemid` parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Joomla! component com addressbook (affected versions not specified) **Description** A SQL injection issue allows remote attackers to execute arbitrary SQL commands. This is achieved by manipulating the `Itemid` parameter in a contact action to the "index.php" endpoint. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Joomla! component Techjoomla SocialAds For JomSocial (com socialads) (affected versions not specified) **Description** The issue allows remote attackers to execute arbitrary SQL commands via the ads description field in a showad action to "index.php". **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Joomla! com jradio component versions prior to 1.5.1 **Description** A directory traversal issue exists, allowing remote attackers to read arbitrary files. This is achieved by using directory traversal sequences in the `controller` parameter to `index.php`. **Recommendations** For versions prior to 1.5.1, update to version 1.5.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the `index.php` endpoint to minimize the risk of exploitation. Avoid using the `controller` parameter in the affected endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** AJ Article version 3.0 **Description** The issue allows remote attackers to inject arbitrary web script or HTML via multiple parameters in an update action, specifically the `emailid`, `fname`, `lname`, `company`, `address1`, `address2`, `city`, `state`, `zipcode`, `phone`, and `fax` parameters in the index.php file. **Recommendations** For AJ Article version 3.0, update the index.php file to properly sanitize and validate user input for the `emailid`, `fname`, `lname`, `company`, `address1`, `address2`, `city`, `state`, `zipcode`, `phone`, and `fax` parameters to prevent arbitrary web script or HTML injection. As a temporary workaround, consider restricting access to the update action in index.php until a proper fix is applied.

**Name of the Vulnerable Software and Affected Versions** Kayako eSupport version 3.70.02 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved by exploiting the `newsid` parameter in a "viewnews" action within the index.php file. **Recommendations** For Kayako eSupport version 3.70.02, avoid using the `newsid` parameter in the "viewnews" action until the issue is resolved. As a temporary workaround, consider restricting access to the index.php file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Joomla! (affected versions not specified) **Description** A directory traversal issue in the Music Manager component allows remote attackers to read arbitrary files and possibly have other impacts by using a .. (dot dot) in the `cid` parameter to "album.html" API endpoint. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** RightInPoint Lyrics Script version 3.0 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `artist id` parameter in an "addalbum" action in the "index.php" file. **Recommendations** For version 3.0, consider restricting access to the `artist id` parameter in the "addalbum" action to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.