Spc-X

**Name of the Vulnerable Software and Affected Versions** Andys Chat version 4.5 **Description** A remote file inclusion issue in the register.php file allows remote attackers to execute arbitrary code via the `action` parameter. This issue was reported by a researcher, but its validity cannot be confirmed due to the vendor no longer distributing the product. **Recommendations** For Andys Chat version 4.5, consider disabling the `action` parameter in the register.php file as a temporary workaround until a more permanent solution can be found. Restrict access to the register.php file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Develooping Flash Chat (affected versions not specified) **Description** A remote file inclusion issue in the adminips.php file of Develooping Flash Chat allows remote attackers to execute arbitrary PHP code via a URL in the `banned file` parameter. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Robin de Graff Somery version 0.4.4 **Description** A remote file inclusion issue in upload/admin/team.php allows remote attackers to potentially execute arbitrary PHP code via a URL in the `checkauth` parameter. However, it's noted that the `checkauth` parameter is only used in conditionals, which might affect the exploitability of this issue. **Recommendations** For version 0.4.4, consider restricting access to the upload/admin/team.php file until a patch is available, and avoid using the `checkauth` parameter in this context to minimize potential risks.

**Name of the Vulnerable Software and Affected Versions** Flipper Poll versions 1.1 and earlier **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in the `root path` parameter in the poll.php file. **Recommendations** For Flipper Poll versions 1.1 and earlier, consider restricting access to the poll.php file until a patch is available. As a temporary workaround, avoid using the `root path` parameter in the poll.php file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Codewalkers Ltwcalendar version 4.1.3 **Description** The issue allows remote attackers to potentially execute arbitrary PHP code via a URL in the `ltw config[include dir]` parameter in the Ltwcalendar/calendar.php file. However, it is noted that the `$ltw config[include dir]` variable is defined as a static value in an include file before it is referenced in an include() statement, which disputes the claim of vulnerability. **Recommendations** For Codewalkers Ltwcalendar version 4.1.3, consider reviewing the code to ensure the `$ltw config[include dir]` variable is properly sanitized and validated to prevent potential exploitation. As a temporary workaround, consider restricting access to the `calendar.php` file until the issue is fully resolved.

**Name of the Vulnerable Software and Affected Versions** Amr Talkbox (affected versions not specified) **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in the `direct` parameter in the talkbox.php file. However, it's noted that the `$direct` variable is set to a static value just before the include statement, which has led to a dispute over the validity of this issue. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** CyBoards PHP Lite version 1.25 **Description** A remote file inclusion issue exists due to the `script path` parameter in include/common.php, potentially allowing remote attackers to execute arbitrary PHP code via a URL. **Recommendations** For CyBoards PHP Lite version 1.25, consider restricting access to the `include/common.php` file to minimize the risk of exploitation. Additionally, avoid using the `script path` parameter in URLs until the issue is resolved.