The De@Th

Name of the Vulnerable Software and Affected Versions: Kaqoo Auction Software Free Edition (affected versions not specified) Description: The issue allows remote attackers to execute arbitrary PHP code via a URL in the `install root` parameter to multiple PHP files. This includes files such as "support.inc.php", "function.inc.php", "rdal object.inc.php", and others in various directories like "include/core/", "include/display/item/", and "include/display/". The estimated number of potentially affected devices worldwide is not available. There is no information about real-world incidents where this issue was exploited. Technical details about exploitation include the use of API endpoints and vulnerable parameters or variables, such as the `install root` parameter. Recommendations: As a temporary workaround, consider disabling the vulnerable PHP files until a patch is available. Restrict access to the vulnerable directories to minimize the risk of exploitation. Avoid using the `install root` parameter in the affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** aWebNews version 1.5 **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in the `path to news` parameter to specific PHP files, including "listing.php" and "visview.php" API endpoints. **Recommendations** For aWebNews version 1.5, consider restricting access to the `listing.php` and `visview.php` files until a patch is available, and avoid using the `path to news` parameter in these API endpoints to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** eFiction versions 3.1.1 and earlier **Description** The issue allows remote attackers to execute arbitrary PHP code. This can be achieved by providing a URL in the `path to smf` parameter to specific PHP files, such as "bridges/SMF/logout.php" or "get session vars.php". **Recommendations** For eFiction versions 3.1.1 and earlier, consider restricting access to the `bridges/SMF/logout.php` and `get session vars.php` files until a patch is available. Avoid using the `path to smf` parameter in these files to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: ZebraFeeds version 1.0 Description: The issue allows remote attackers to execute arbitrary PHP code when register globals is enabled. This is achieved by providing a URL in the `zf path` parameter to specific API endpoints, such as "aggregator.php" and "controller.php" in the "newsfeeds/includes/" directory. Recommendations: For ZebraFeeds version 1.0, consider disabling the register globals setting to prevent exploitation. Additionally, restrict access to the "aggregator.php" and "controller.php" files in the "newsfeeds/includes/" directory until a fix is available. Avoid using the `zf path` parameter in the affected API endpoints until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** bluevirus-design SMA-DB versions 0.3.9 and earlier **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in the `pfad z` parameter in the theme/settings.php file. **Recommendations** For bluevirus-design SMA-DB versions 0.3.9 and earlier, avoid using the `pfad z` parameter in the theme/settings.php file until a fix is available. Consider restricting access to the theme/settings.php file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** DreamStats System versions 4.2 and earlier **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in the `rootpath` parameter in the index.php file. This can be exploited by providing a malicious URL. **Recommendations** For DreamStats System versions 4.2 and earlier, update to a version later than 4.2 to resolve the issue. As a temporary workaround, consider restricting access to the `rootpath` parameter in the index.php file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** JV2 Folder Gallery versions 3.0.2 and earlier **Description** A remote file inclusion issue allows remote attackers to execute arbitrary PHP code via a URL in the `galleryfilesdir` parameter. This can be exploited by providing a malicious URL to the vulnerable endpoint. **Recommendations** For JV2 Folder Gallery versions 3.0.2 and earlier, update to a version later than 3.0.2 to resolve the issue. As a temporary workaround, consider restricting access to the `theme/include mode/template.php` file to minimize the risk of exploitation. Avoid using the `galleryfilesdir` parameter in the affected endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Ad Fundum Integratable News Script (AINS) version 0.02b **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in the `ains path` parameter in the ains main.php file. This enables attackers to potentially compromise the system by injecting malicious code. **Recommendations** For version 0.02b, consider restricting access to the `ains main.php` file or avoiding the use of the `ains path` parameter until a fix is available. As a temporary workaround, restrict access to the vulnerable module to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Xt-Stats versions 2.3.x through 2.4.0.b3 **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in the `server base dir` parameter in the xt counter.php file. **Recommendations** For Xt-Stats versions 2.3.x through 2.4.0.b3, avoid using the `server base dir` parameter in the affected API endpoint until the issue is resolved. Consider restricting access to the xt counter.php file to minimize the risk of exploitation.