3L3Ctric-Cracker

**Name of the Vulnerable Software and Affected Versions** Yaap versions 1.5 and earlier **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in the `root path` parameter, possibly related to the ` autoload` function. **Recommendations** For Yaap versions 1.5 and earlier, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** RPW version 1.0.2 **Description** A remote file inclusion issue in the config.php file allows remote attackers to execute arbitrary PHP code via a URL in the `sql language` parameter. **Recommendations** For RPW version 1.0.2, consider restricting access to the `config.php` file and avoid using the `sql language` parameter in URLs until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Inter7 vHostAdmin version 1.0 **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in the `MODULES DIR` parameter in the modules/mail/main.php file. **Recommendations** For Inter7 vHostAdmin version 1.0, restrict access to the `MODULES DIR` parameter to minimize the risk of exploitation. Avoid using the `MODULES DIR` parameter in the affected module until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** BBClone version 0.31 **Description** A remote file inclusion issue in lib/selectlang.php allows remote attackers to execute arbitrary PHP code via a URL in the `BBC LANGUAGE PATH` parameter. **Recommendations** For BBClone version 0.31, avoid using the `BBC LANGUAGE PATH` parameter in the affected API endpoint until the issue is resolved. Consider restricting access to the lib/selectlang.php file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** phpXMLDOM (phpXD) versions 0.3 and earlier **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in the `path` parameter to specific API endpoints: "/include/dom.php", "/include/dtd.php", or "/include/parser.php". **Recommendations** For phpXMLDOM (phpXD) versions 0.3 and earlier, consider restricting access to the vulnerable API endpoints "/include/dom.php", "/include/dtd.php", and "/include/parser.php" to minimize the risk of exploitation. Avoid using the `path` parameter in these endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Neon Labs Website (nlws) versions 3.2 and earlier **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in the `g strRootDir` parameter. This is a result of a PHP remote file inclusion vulnerability in the lib/nl/nl.php file. **Recommendations** For versions 3.2 and earlier, consider restricting access to the `g strRootDir` parameter to minimize the risk of exploitation. As a temporary workaround, avoid using the `g strRootDir` parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** MySpeach version 2.1 beta and possibly earlier **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in the `my[root]` parameter in the up.php file. **Recommendations** For MySpeach version 2.1 beta and possibly earlier, consider restricting access to the up.php file until a patch is available. As a temporary workaround, avoid using the `my[root]` parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** PhpSherpa (affected versions not specified) **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in the `racine` parameter in the include/config.inc.php file. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Oreon versions 1.2.3 RC4 and earlier Description: The issue allows remote attackers to execute arbitrary PHP code via a URL in the `file` parameter in the lang/index.php file. Recommendations: For Oreon versions 1.2.3 RC4 and earlier, consider disabling the lang/index.php file or restricting access to it until a patch is available. Avoid using the `file` parameter in the affected file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

Name of the Vulnerable Software and Affected Versions: Article System version 1.0 Description: The issue allows remote attackers to execute arbitrary PHP code. This can be achieved by providing a URL in the `INCLUDE DIR` parameter to specific API endpoints, such as "forms.php", "issue edit.php", "client.php", and "classes.php". Recommendations: For Article System version 1.0, consider restricting access to the `INCLUDE DIR` parameter in the affected API endpoints until a patch is available. As a temporary workaround, avoid using the `INCLUDE DIR` parameter in the "forms.php", "issue edit.php", "client.php", and "classes.php" endpoints to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Vz (Adp) Forum version 2.0.3 Description: The issue allows remote attackers to obtain sensitive information, specifically the administrative account name and password hash, due to insufficient access control. This is achieved by making a direct request for the `users/admin.txt` file. Recommendations: For version 2.0.3, restrict access to the `users/admin.txt` file to prevent unauthorized access, or consider relocating sensitive information outside the web root until a proper fix is available.

Name of the Vulnerable Software and Affected Versions: P-News versions 1.16 through 1.17 Description: The issue allows remote attackers to obtain sensitive information, including the administrative account name and password hash, due to insufficient access control. This is achieved by making a direct request for the db/user.dat file, which stores sensitive information under the web root. Recommendations: For P-News versions 1.16 through 1.17, consider restricting access to the db/user.dat file to minimize the risk of exploitation. As a temporary workaround, limit direct requests to this file until a proper fix is applied.

Name of the Vulnerable Software and Affected Versions: Matteo Lucarelli 3editor CMS versions 0.42 and earlier Description: A directory traversal issue exists in index.php, allowing remote attackers to include arbitrary files via a .. (dot dot) in the `page` parameter when `register globals` is enabled. Recommendations: For versions 0.42 and earlier, consider disabling the `register globals` setting to mitigate the risk of exploitation. As a temporary workaround, restrict access to the `index.php` file to minimize the risk of arbitrary file inclusion.

Name of the Vulnerable Software and Affected Versions: Newxooper version 0.9.1 Description: The issue allows remote attackers to execute arbitrary PHP code via a URL in the `chemin` parameter in the compteur/mapage.php file. Recommendations: For Newxooper version 0.9.1, consider restricting access to the `chemin` parameter in the compteur/mapage.php file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** mxBB module mx act version 0.92 **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in the `module root path` parameter. This is a result of a PHP remote file inclusion vulnerability in the includes/act constants.php file of the Activity Games module. **Recommendations** For mxBB module mx act version 0.92, consider restricting access to the `module root path` parameter to minimize the risk of exploitation. Avoid using the `module root path` parameter in the affected module until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** mxBB Knowledge Base (mx kb) module version 2.0.2 **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in the `module root path` parameter. This is a result of a PHP remote file inclusion vulnerability in the `includes/kb constants.php` file of the Knowledge Base module for mxBB. **Recommendations** For version 2.0.2, as a temporary workaround, consider restricting access to the `includes/kb constants.php` file until a patch is available. Avoid using the `module root path` parameter in the affected module until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** mxBB Knowledge Base (mx kb) module version 2.0.2 **Description** The issue allows remote attackers to include arbitrary files via a .. (dot dot) sequence in the `phpEx` parameter, potentially leading to directory traversal attacks. This could enable attackers to access sensitive files or execute malicious code. **Recommendations** For version 2.0.2, consider restricting access to the `includes/kb constants.php` file until a patch is available. As a temporary workaround, avoid using the `phpEx` parameter in the affected module until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Flyspray ME version 1.0.1 **Description** The issue allows remote attackers to read arbitrary files due to a directory traversal vulnerability in the startdown.php file. This is achieved by using a .. (dot dot) in the `file` parameter. **Recommendations** For Flyspray ME version 1.0.1, consider restricting access to the startdown.php file until a patch is available. As a temporary workaround, avoid using the `file` parameter in the affected component to minimize the risk of exploitation.