4Degrees

**Name of the Vulnerable Software and Affected Versions** aMember Pro version 2.3.4 **Description** The issue allows remote attackers to execute arbitrary PHP code via the `config[root dir]` parameter to various PHP files, including (1) mysql.inc.php, (2) efsnet.inc.php, (3) theinternetcommerce.inc.php, (4) cdg.inc.php, (5) compuworld.inc.php, (6) directone.inc.php, (7) authorize aim.inc.php, (8) beanstream.inc.php, (9) config.inc.php, (10) eprocessingnetwork.inc.php, (11) eway.inc.php, (12) linkpoint.inc.php, (13) logiccommerce.inc.php, (14) netbilling.inc.php, (15) payflow pro.inc.php, (16) paymentsgateway.inc.php, (17) payos.inc.php, (18) payready.inc.php, or (19) plugnplay.inc.php. **Recommendations** As a temporary workaround, consider restricting access to the `config[root dir]` parameter in the affected PHP files until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** AutoLinks Pro version 2.1 **Description** The issue allows remote attackers to execute arbitrary PHP code via an "ftp://" URL in the `alpath` parameter. This is possible because the blacklist only checks for "http" and "https" URLs, allowing other types of URLs to bypass the check. **Recommendations** For AutoLinks Pro version 2.1, consider restricting access to the `al initialize.php` file or the `alpath` parameter to minimize the risk of exploitation until a proper fix is available. Avoid using the `alpath` parameter with untrusted input.