Tamriel

**Name of the Vulnerable Software and Affected Versions** Professional Home Page Tools Login Script (affected versions not specified) **Description** The issue allows remote attackers to inject arbitrary web script or HTML via the `name`, `vorname`, and `nachname` parameters in the register script, potentially leading to cross-site scripting (XSS) attacks. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Xeobook version 0.93 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This can be achieved via the User-Agent HTTP header or specific parameters, including `gb entry text`, `gb location`, `gb fullname`, and `gb sex`. **Recommendations** For Xeobook version 0.93, consider validating and sanitizing user input for the User-Agent HTTP header and the parameters `gb entry text`, `gb location`, `gb fullname`, and `gb sex` to prevent SQL injection attacks. As a temporary workaround, restrict access to the sign.php file until a patch is available.

**Name of the Vulnerable Software and Affected Versions** XeoPort versions 0.81 and earlier **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `xp body text` parameter in the "index.php" file. **Recommendations** For XeoPort versions 0.81 and earlier, consider restricting access to the `xp body text` parameter in the "index.php" file until a patch is available.

**Name of the Vulnerable Software and Affected Versions** eXpBlog versions 0.3.5 and earlier **Description** The issue allows remote attackers to inject arbitrary web script or HTML, which can lead to cross-site scripting (XSS) attacks. This is possible via the query string (PHP SELF) in "kalender.php" or the `captcha session code` parameter in "pre details.php". **Recommendations** For versions 0.3.5 and earlier, consider disabling the `kalender.php` and `pre details.php` scripts until a patch is available. Restrict access to these scripts to minimize the risk of exploitation. Avoid using the `captcha session code` parameter in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** GeheimChaos versions 0.5 and earlier **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is possible via the `Temp entered login` or `Temp entered email` parameters to "gc.php", and in multiple parameters in "include/registrieren.php", possibly involving the variables `form email`, `form vorname`, `form nachname`, `form strasse`, `form plzort`, `form land`, `form homepage`, `form bildpfad`, `form profilsichtbar`, `Temp sprache`, `form tag`, `form monat`, `form jahr`, `Temp akt string`, `form icq`, `form msn`, `form yahoo`, `form username`, and `Temp form pass`. **Recommendations** For GeheimChaos versions 0.5 and earlier, consider disabling the SQL execution functionality or restricting access to the "gc.php" and "include/registrieren.php" files until a patch is available. Avoid using the vulnerable parameters in the affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** CounterChaos versions 0.48c and earlier **Description** A SQL injection issue allows remote attackers to execute arbitrary SQL commands via the `Referer` HTTP header. **Recommendations** For CounterChaos versions 0.48c and earlier, update to a version later than 0.48c to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** GaesteChaos versions 0.2 and earlier **Description** The issue concerns multiple cross-site scripting (XSS) vulnerabilities. These vulnerabilities allow remote attackers to inject arbitrary web script or HTML via the `gastname` or `gastwohnort` parameters in the eintragen.php file. **Recommendations** For GaesteChaos versions 0.2 and earlier, as a temporary workaround, consider restricting input for the `gastname` and `gastwohnort` parameters to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** GaesteChaos versions 0.2 and earlier **Description** The issue concerns SQL injection vulnerabilities in the eintragen.php file. Remote attackers can execute arbitrary SQL commands by manipulating the `gastname`, `gastwohnort`, or `gasteintrag` parameters. **Recommendations** For GaesteChaos versions 0.2 and earlier, as a temporary workaround, consider restricting access to the eintragen.php file until a patch is available. Avoid using the parameters `gastname`, `gastwohnort`, or `gasteintrag` in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** TP-Book versions 1.00 and earlier **Description** The issue allows remote attackers to inject arbitrary web script or HTML via the `name` parameter in the guestbook.php file. This can lead to cross-site scripting (XSS) attacks. **Recommendations** For TP-Book versions 1.00 and earlier, avoid using the `name` parameter in the guestbook.php file until a fix is available. As a temporary workaround, consider restricting access to the guestbook.php file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Professional Home Page Tools Guestbook (affected versions not specified) **Description** The issue concerns the delcookie.php file in Professional Home Page Tools Guestbook, where it incorrectly changes the expiration date of a cookie instead of deleting the cookie's value. This makes it easier for attackers to steal the cookie and obtain the administrator's password hash after logout. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Huttenlocher Webdesign hwdeGUEST versions 2.1.1 and earlier **Description** The issue allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. This is demonstrated by the `name input` field in the "new entry.php" file. **Recommendations** For versions 2.1.1 and earlier, as a temporary workaround, consider restricting input to the `name input` field in new entry.php to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Professional Home Page Tools Guestbook (affected versions not specified) **Description** The issue concerns SQL injection vulnerabilities in the class.php file of Professional Home Page Tools Guestbook. Remote attackers can execute arbitrary SQL commands by manipulating the following parameters: `hidemail`, `name`, `mail`, `ip`, or `text`. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Chipmailer version 1.09 **Description** The issue allows remote attackers to obtain sensitive information via a direct request to "php.php", which displays the output of the phpinfo function. **Recommendations** For Chipmailer version 1.09, consider restricting access to the "php.php" file to prevent unauthorized disclosure of sensitive information. As a temporary workaround, remove or rename the "php.php" file until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Chipmailer version 1.09 **Description** The issue allows remote attackers to execute arbitrary SQL commands via multiple parameters in the main.php file. The vulnerable parameters include `anfang`, `name`, `mail`, `anrede`, `vorname`, `nachname`, `gebtag`, `gebmonat`, and `gebjahr`. **Recommendations** For Chipmailer version 1.09, consider restricting access to the main.php file until a patch is available. As a temporary workaround, avoid using the parameters `anfang`, `name`, `mail`, `anrede`, `vorname`, `nachname`, `gebtag`, `gebmonat`, and `gebjahr` in the affected API endpoint.

**Name of the Vulnerable Software and Affected Versions** Chipmailer version 1.09 **Description** A cross-site scripting (XSS) issue exists, allowing remote attackers to inject arbitrary web script or HTML via the `name`, `betreff`, `mail`, and `text` parameters in the main.php file. **Recommendations** For Chipmailer version 1.09, avoid using the `name`, `betreff`, `mail`, and `text` parameters in the main.php file until a fix is available. As a temporary workaround, consider validating and sanitizing user input for these parameters to minimize the risk of exploitation.