Z1Ckx

Name of the Vulnerable Software and Affected Versions: eNdonesia version 8.4 Description: The issue allows remote attackers to inject arbitrary web script or HTML, potentially leading to cross-site scripting (XSS) attacks. This can be achieved through various means, including the `mod` parameter in a `viewlink` operation in `mod.php`, the `intypeid` parameter in a `showinfo` operation in the `informasi` module in `mod.php`, the "your Friend" field in `friend.php`, or the "Main Text" field in `admin.php`. Recommendations: For eNdonesia version 8.4, consider disabling the vulnerable fields and parameters, such as the `mod` parameter in `mod.php`, the `intypeid` parameter in the `informasi` module, the "your Friend" field in `friend.php`, and the "Main Text" field in `admin.php`, until a patch is available. Restrict access to the affected modules and files to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: eNdonesia version 8.4 Description: The issue allows remote attackers to read arbitrary files due to a directory traversal vulnerability in the mod.php file. This is achieved by using a .. (dot dot) in the `mod` parameter. Recommendations: For eNdonesia version 8.4, consider restricting access to the mod.php file until a patch is available. As a temporary workaround, avoid using the `mod` parameter with .. (dot dot) sequences to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: eNdonesia version 8.4 Description: The issue allows remote attackers to execute arbitrary SQL commands. This can be achieved via the `did` parameter in a 'viewdisk' operation or the `cid` parameter in 'viewlink' or 'viewcat' operations. Recommendations: For eNdonesia version 8.4, consider restricting access to the mod.php file until a patch is available. As a temporary workaround, avoid using the `did` and `cid` parameters in the affected operations.