Alexandr Polyakov

**Name of the Vulnerable Software and Affected Versions** SAP NetWeaver Business Client (affected versions not specified) **Description** The issue is related to a stack-based buffer overflow in the SapThemeRepository ActiveX control, specifically in the sapwdpcd.dll component. This can be exploited by remote attackers to execute arbitrary code. The exploitation is possible via the `Load` and `LoadTheme` methods. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Textpattern (aka Txp CMS) version 4.0.5 **Description** The issue allows remote attackers to cause a denial of service. This is achieved by sending a long message parameter to the comments preview section in index.php. **Recommendations** For Textpattern (aka Txp CMS) version 4.0.5, consider restricting the length of the message parameter in the comments preview section to prevent denial of service attacks.

**Name of the Vulnerable Software and Affected Versions** Textpattern versions 4.0.5 **Description** The issue concerns multiple cross-site scripting (XSS) vulnerabilities. These vulnerabilities allow remote attackers to inject arbitrary web script or HTML. This can be achieved via the PATH INFO to "setup/index.php" or the `name` parameter to "index.php" in the comments preview section. **Recommendations** For version 4.0.5, consider disabling the comments preview section until a patch is available. Restrict access to "setup/index.php" and the `name` parameter in "index.php" to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Jinzora Media Jukebox version 2.7.5 **Description** The issue allows remote attackers to inject arbitrary web script or HTML via various parameters to different PHP files. The affected parameters include `frontend`, `set frontend`, `jz path`, `theme`, `set theme`, `language`, `PATH INFO`, `query`, and `siteNewsData`. The vulnerable API endpoints include `index.php`, `ajax request.php`, `slim.php`, and `popup.php`. **Recommendations** For Jinzora Media Jukebox version 2.7.5, consider disabling the vulnerable parameters, such as `frontend`, `set frontend`, `jz path`, `theme`, `set theme`, `language`, `PATH INFO`, `query`, and `siteNewsData`, to minimize the risk of exploitation until a patch is available. Restrict access to the affected PHP files, including `index.php`, `ajax request.php`, `slim.php`, and `popup.php`, to reduce the attack surface.

**Name of the Vulnerable Software and Affected Versions** Dokeos version 1.8.4 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This can be achieved through various parameters and HTTP headers, including the `id` parameter to "whoisonline.php", `tracking list coaches column` parameter to "main/mySpace/index.php", `tutor name` parameter to "main/create course/add course.php", the `Referer` HTTP header to "index.php", and the `X-Fowarded-For` HTTP header to "main/admin/class list.php". **Recommendations** For Dokeos version 1.8.4, consider disabling the parameters `id`, `tracking list coaches column`, and `tutor name` in their respective scripts until a patch is available. Restrict access to the "whoisonline.php", "main/mySpace/index.php", and "main/create course/add course.php" scripts to minimize the risk of exploitation. Avoid using the `Referer` and `X-Fowarded-For` HTTP headers in the "index.php" and "main/admin/class list.php" scripts, respectively, until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** PowerNews version 2.5.6 **Description** The issue allows remote attackers to read and include arbitrary files due to multiple directory traversal vulnerabilities. This is achieved by using a .. (dot dot) in specific parameters. For example, the `subpage` parameter in various .inc.php files and the `page` parameter to "pnadmin/index.php" are vulnerable. It's noted that one of the vectors is only exploitable by administrators. **Recommendations** For PowerNews version 2.5.6, consider restricting access to the vulnerable .inc.php files in the pnadmin directory and limiting the use of the `subpage` and `page` parameters until a fix is available. As a temporary workaround, avoid using the `subpage` parameter in categories.inc.php, news.inc.php, other.inc.php, permissions.inc.php, templates.inc.php, and users.inc.php, and restrict the `page` parameter in pnadmin/index.php to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** DivideConcept VHD Web Pack version 2.0 **Description** The issue allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the `page` parameter of the index.php file. This is a directory traversal vulnerability. **Recommendations** For DivideConcept VHD Web Pack version 2.0, consider restricting access to the index.php file until a patch is available. As a temporary workaround, avoid using the `page` parameter in the index.php file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** XOOPS version 2.0.18 **Description** The issue allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks. This is achieved via a URL in the `xoops redirect` parameter in the htdocs/user.php file. **Recommendations** For XOOPS version 2.0.18, update to a version that fixes this issue to prevent remote attackers from redirecting users to arbitrary web sites.

**Name of the Vulnerable Software and Affected Versions** XOOPS version 2.0.18 **Description** A directory traversal issue exists, allowing remote attackers to include and execute arbitrary local files. This is achieved by using a .. (dot dot) in the `lang` parameter of the htdocs/install/index.php file. **Recommendations** For XOOPS version 2.0.18, consider restricting access to the htdocs/install/index.php file until a patch is available, and avoid using the `lang` parameter with untrusted input.

**Name of the Vulnerable Software and Affected Versions** AstroSoft HelpDesk versions prior to 1.95.228 **Description** The issue allows remote attackers to inject arbitrary web script or HTML, which can lead to cross-site scripting (XSS) attacks. This is possible via the `txtSearch` parameter to the "operator/article/article search results.asp" endpoint and the `Attach Id` parameter to the "operator/article/article attachment.asp" endpoint. For the second vector, the XSS occurs in a forced SQL error message. **Recommendations** For versions prior to 1.95.228, update to version 1.95.228 or later to resolve the issue. As a temporary workaround, consider restricting access to the `txtSearch` parameter in the "operator/article/article search results.asp" endpoint and the `Attach Id` parameter in the "operator/article/article attachment.asp" endpoint until a patch is available. Avoid using the `txtSearch` and `Attach Id` parameters in the affected API endpoints until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** phpCMS version 1.2.2 **Description** The issue allows remote attackers to read arbitrary files due to a directory traversal vulnerability in the parser/include/class.cache phpcms.php file. This can be achieved by including a .. (dot dot) in the `file` parameter to the "parser/parser.php" endpoint, as demonstrated by a filename ending with %00.gif. **Recommendations** For phpCMS version 1.2.2, consider restricting access to the `parser/parser.php` endpoint to minimize the risk of exploitation. As a temporary workaround, avoid using the `file` parameter in the affected endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** BLOG:CMS version 4.2.1b **Description** The issue allows remote attackers to execute arbitrary SQL commands. This can be achieved via the `blogid` parameter to "index.php", the `user` parameter to "action.php", or the `field` parameter to "admin/plugins/table/index.php". **Recommendations** For BLOG:CMS version 4.2.1b, consider restricting access to the `index.php`, `action.php`, and `admin/plugins/table/index.php` endpoints until a patch is available. Avoid using the `blogid`, `user`, and `field` parameters in the affected API endpoints until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** BLOG:CMS version 4.2.1b **Description** The issue concerns multiple cross-site scripting (XSS) vulnerabilities. These vulnerabilities allow remote attackers to inject arbitrary web script or HTML. The injection can occur via the PATH INFO to specific API endpoints, such as "admin.php" or "index.php" in the "photo/" directory. **Recommendations** For BLOG:CMS version 4.2.1b, consider restricting access to the "admin.php" and "index.php" endpoints in the "photo/" directory until a fix is available. Avoid using the PATH INFO to inject parameters into these endpoints to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** aria versions 0.99 through 0.99-6 **Description** The issue allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the `page` parameter in the `/arias/help/effect.php` endpoint. **Recommendations** For aria versions 0.99 through 0.99-6, consider restricting access to the `/arias/help/effect.php` endpoint until a patch is available. As a temporary workaround, avoid using the `page` parameter in the affected endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Tuned Studios Subwoofer, Freeze Theme, Orange Cutout, Lonely Maple, Endless, Classic Theme, and Music Theme webpage templates (affected versions not specified) **Description** The issue allows remote attackers to include and execute arbitrary files via ".." sequences in the `page` parameter of the index.php file. This can be leveraged for remote file inclusion when running in some PHP 5 environments. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** 2z project version 0.9.6.1 **Description** The issue allows remote attackers to obtain sensitive information. This can be achieved through a request to `index.php` with an invalid template or a request to the default URI with certain `year` and `month` parameters. The vulnerability reveals the path in various error messages. **Recommendations** For version 0.9.6.1, consider restricting access to the `index.php` file and limiting the input for `year` and `month` parameters to prevent exploitation until a patch is available. As a temporary workaround, avoid using invalid templates in requests to `index.php` and restrict the use of certain `year` and `month` parameters in requests to the default URI.

**Name of the Vulnerable Software and Affected Versions** RunCMS versions prior to 1.6.1 **Description** The issue allows remote attackers to inject arbitrary web script or HTML, potentially leading to cross-site scripting (XSS) attacks. This can be achieved through various means, including the `subject` parameter to "modules/news/submit.php", the `PATH INFO` to "modules/news/index.php", or an avatar image to "edituser.php". The `XoopsPageNav` class may be related to the vulnerability in the "modules/news/index.php" case. **Recommendations** For versions prior to 1.6.1, update to version 1.6.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the "modules/news/submit.php" and "modules/news/index.php" scripts, as well as limiting the ability to upload avatar images to "edituser.php" until the update can be applied. Avoid using the `subject` parameter in "modules/news/submit.php" and the `PATH INFO` in "modules/news/index.php" until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** RunCMS versions prior to 1.6.1 **Description** The issue allows remote authenticated administrators to inject arbitrary PHP code via several parameters in different modules, including `header` and `footer` parameters to `modules/system/admin.php`, `disclaimer` parameters to various modules, and the `intro` parameter to `modules/sections/admin/index.php`. These injections lead to PHP sequences being written into cache files within the modules directory, potentially allowing for code execution. **Recommendations** For RunCMS versions prior to 1.6.1, update to version 1.6.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable parameters and modules, such as disabling the `header` and `footer` parameters in `modules/system/admin.php`, and avoiding the use of `disclaimer` parameters in affected modules until the update is applied. Additionally, restrict write access to cache files in the modules directory to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** RunCMS versions prior to 1.6.1 **Description** The issue allows context-dependent attackers to change passwords without knowing the old password, by obtaining temporary access to a session. This is possible because the old password is not required during the password change process. **Recommendations** For versions prior to 1.6.1, update to version 1.6.1 or later to resolve the issue. As a temporary workaround, consider implementing additional authentication measures to prevent unauthorized access to sessions.

**Name of the Vulnerable Software and Affected Versions** RunCMS versions prior to 1.6.1 **Description** The issue makes it easier for remote attackers to hijack sessions. This is due to the use of a predictable session id, which can be modified by attackers. **Recommendations** For versions prior to 1.6.1, update to version 1.6.1 or later to resolve the issue.