Unohope

**Name of the Vulnerable Software and Affected Versions** Tornado Knowledge Retrieval System versions 4.2 and earlier **Description** A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via the `p` parameter in a "root action". **Recommendations** For versions 4.2 and earlier, avoid using the `p` parameter in the affected API endpoint until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: C. Desseno YouTube Blog (ytb) version 0.1 Description: The issue is related to a cross-site scripting (XSS) vulnerability. This allows remote attackers to inject arbitrary web script or HTML via the `m` parameter in mensaje.php. Recommendations: For version 0.1, avoid using the `m` parameter in the mensaje.php file until a fix is available. As a temporary workaround, consider validating and sanitizing user input for the `m` parameter to prevent malicious script injection.

Name of the Vulnerable Software and Affected Versions: C. Desseno YouTube Blog (ytb) version 0.1 Description: The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `id` parameter in the todos.php file, which is susceptible to SQL injection. Recommendations: For version 0.1, avoid using the `id` parameter in the todos.php file until the issue is resolved. As a temporary workaround, consider restricting access to the todos.php file to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: C. Desseno YouTube Blog (ytb) version 0.1 Description: The issue allows remote attackers to execute arbitrary PHP code when register globals is enabled. This is achieved by providing a URL in the `base archivo` parameter. Recommendations: For version 0.1, disable the register globals setting to prevent exploitation. Additionally, restrict access to the cuenta/cuerpo.php file until a proper fix is applied. Avoid using the `base archivo` parameter in the affected endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** yBlog version 0.2.2.2 **Description** The issue concerns multiple cross-site scripting (XSS) vulnerabilities. These vulnerabilities allow remote attackers to inject arbitrary web script or HTML. The injection can occur via the `q` parameter to the "search.php" endpoint, or the `n` parameter to the "user.php" or "uss.php" endpoints. **Recommendations** For yBlog version 0.2.2.2, consider restricting access to the "search.php", "user.php", and "uss.php" endpoints until a fix is available. As a temporary workaround, avoid using the `q` parameter in the "search.php" endpoint and the `n` parameter in the "user.php" and "uss.php" endpoints to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** ErfurtWiki versions R1.02b and earlier **Description** The issue allows remote attackers to include and execute arbitrary local files via directory traversal vulnerabilities. This can be achieved by using a .. (dot dot) in the `ewiki id` and `ewiki action` parameters to "fragments/css.php", and possibly the `id` parameter to the default URI. The default URI is site-specific but often performs an include once of ewiki.php. **Recommendations** For ErfurtWiki versions R1.02b and earlier, consider disabling the `register globals` setting to mitigate the risk of exploitation. As a temporary workaround, restrict access to the "fragments/css.php" file and the default URI to minimize the risk of exploitation. Avoid using the `ewiki id`, `ewiki action`, and `id` parameters in the affected API endpoints until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** yBlog version 0.2.2.2 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This can be achieved via the `q` parameter to the "search.php" endpoint, or the `n` parameter to the "user.php" or "uss.php" endpoints. **Recommendations** For yBlog version 0.2.2.2, as a temporary workaround, consider restricting access to the "search.php", "user.php", and "uss.php" endpoints until a patch is available. Avoid using the `q` parameter in the "search.php" endpoint and the `n` parameter in the "user.php" and "uss.php" endpoints until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Insanely Simple Blog version 0.5 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This can be achieved via the `id` parameter or the `term` parameter in a search action in the index.php file. **Recommendations** For Insanely Simple Blog version 0.5, consider restricting access to the index.php file until a patch is available. As a temporary workaround, avoid using the `id` and `term` parameters in the index.php file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** DCFM Blog version 0.9.4 **Description** A SQL injection issue exists, allowing remote attackers to execute arbitrary SQL commands. This is achieved via the `id` parameter in the comments.php file. **Recommendations** For DCFM Blog version 0.9.4, consider restricting access to the comments.php file or avoiding the use of the `id` parameter until a fix is available.