Thunder

Name of the Vulnerable Software and Affected Versions: X10media x10 Automatic Mp3 Search Engine Script versions 1.5.5 through 1.6 Description: The issue allows remote attackers to read arbitrary files via an encoded `url` parameter. This can be demonstrated by obtaining database credentials from `includes/constants.php`. Recommendations: For versions 1.5.5 through 1.6, consider restricting access to the `download.php` file until a patch is available. As a temporary workaround, avoid using the encoded `url` parameter in the `download.php` file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** x10 Automatic MP3 Script version 1.5.5 **Description** The issue allows remote attackers to execute arbitrary PHP code. This can be achieved by providing a URL in the `web root` parameter to specific PHP files, such as `includes/function core.php` and `templates/layout lyrics.php`. **Recommendations** For version 1.5.5, consider restricting access to the `includes/function core.php` and `templates/layout lyrics.php` files to minimize the risk of exploitation. Avoid using the `web root` parameter in these files until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this issue.