Unkn0Wn

**Name of the Vulnerable Software and Affected Versions** PHP-Fusion version 9.03.50 **Description** The software contains a remote code execution issue in the `add panel form()` function. This allows attackers to execute arbitrary code through the use of an `eval()` function with unsanitized data received via POST requests. Exploitation occurs by sending crafted `panel content` parameters to the `/panels.php` endpoint. The `/panels.php` endpoint is the target of the attack. The `panel content` parameter is the vulnerable variable used to inject malicious code. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** PHP-Fusion version 9.03.50 **Description** The application does not properly sanitize user input before rendering it in a browser, which allows attackers to inject arbitrary JavaScript. This can be exploited by submitting crafted input to the `panel content` POST parameter in the ''panels.php'' file, resulting in the execution of malicious scripts within the context of the affected site. **Recommendations** Update to a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** 60CycleCMS version 2.5.2 **Description** The software contains an SQL injection issue in the 'news.php' and 'common/lib.php' files. Attackers can manipulate database queries through unvalidated user input. Specifically, the 'title' parameter is vulnerable to malicious SQL code injection, potentially allowing attackers to extract or modify database contents. This issue does not involve cross-site scripting. **Recommendations** Update to a newer version that contains a fix for this vulnerability. As a temporary workaround, sanitize all user-supplied input to the 'title' parameter before using it in database queries.

**Name of the Vulnerable Software and Affected Versions** 60CycleCMS version 2.5.2 **Description** The software contains a cross-site scripting (XSS) issue in the news.php file. This allows attackers to inject malicious scripts through GET parameters. Attackers can create malicious URLs with XSS payloads targeting the `etsu` and `ltsu` parameters to execute arbitrary scripts in victim’s browsers. This does not involve SQL injection. **Recommendations** Update to a newer version that contains a fix for this vulnerability. As a temporary workaround, sanitize all input received through the `etsu` and `ltsu` parameters in the 'news.php' file.