Zynber

**Name of the Vulnerable Software and Affected Versions** Pro Chat Rooms version 3.0.2 **Description** A cross-site scripting issue exists, allowing remote attackers to inject arbitrary web script or HTML. This is achieved via the `gud` parameter in profiles/index.php. **Recommendations** For Pro Chat Rooms version 3.0.2, consider restricting access to the `gud` parameter in the profiles/index.php file to minimize the risk of exploitation. As a temporary workaround, avoid using the `gud` parameter until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Pro Chat Rooms version 3.0.2 **Description** The issue allows remote authenticated users to exploit a directory traversal vulnerability by selecting an arbitrary local PHP script as an avatar. This is achieved by using a .. (dot dot) in the `avatar` parameter. The vulnerability can be further exploited by using the "sendData.php" endpoint to send a message to either an individual user or a room, potentially leading to cross-site request forgery (CSRF) or cross-site scripting (XSS) impacts. **Recommendations** For Pro Chat Rooms version 3.0.2, consider restricting access to the `avatar` parameter and the "sendData.php" endpoint to minimize the risk of exploitation. As a temporary workaround, avoid using the `avatar` parameter in the affected endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** JobSite Professional version 2.0 **Description** A SQL injection issue exists, allowing remote attackers to execute arbitrary SQL commands. This is achieved by manipulating the `id` parameter. **Recommendations** For JobSite Professional version 2.0, consider restricting access to the `file.php` script until a patch is available. As a temporary workaround, avoid using the `id` parameter in the affected script to minimize the risk of exploitation.