Alfons Luja

**Name of the Vulnerable Software and Affected Versions** MemeCode Software i.Scribe versions 1.88 through 2.00 before Beta9 **Description** The issue allows remote SMTP servers to cause a denial of service (crash) and possibly execute arbitrary code via format string specifiers in a server response. This occurs when the software fails to properly handle the response while displaying the signon message. **Recommendations** For versions 1.88 through 2.00 before Beta9, update to Beta9 or later to resolve the issue.

Name of the Vulnerable Software and Affected Versions: MiniGal version b13 Description: A directory traversal issue in index.php allows remote attackers to read the source code of .php files, and possibly the content of other files, via a .. (dot dot) in the `list` parameter. Recommendations: For MiniGal version b13, consider restricting access to the index.php file until a patch is available. As a temporary workaround, avoid using the `list` parameter in the affected API endpoint until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: Pluck version 4.6.1 Description: A directory traversal issue exists, allowing remote attackers to include and execute arbitrary local files. This is achieved by using a .. (dot dot) in the `post` parameter. Recommendations: For Pluck version 4.6.1, consider restricting access to the `module pages site.php` file in the `data/modules/blog` directory until a patch is available. As a temporary workaround, avoid using the `post` parameter with untrusted input.

Name of the Vulnerable Software and Affected Versions: VicFTPS version 5.0 Description: The issue allows remote attackers to cause a denial of service, resulting in a crash, by sending a LIST command that starts with a "//" (forward slash, backward slash, forward slash). Recommendations: For VicFTPS version 5.0, consider restricting access to the LIST command or avoiding the use of the specific "//" sequence in the command until a fix is available.

**Name of the Vulnerable Software and Affected Versions** FlatnuX CMS (affected versions not specified) **Description** The issue allows remote attackers to execute arbitrary PHP code when register globals is enabled and magic quotes gpc is disabled. This can be achieved by providing a URL in the ` FNROOTPATH` parameter to specific API endpoints, such as "index.php" and "filemanager.php". **Recommendations** For all affected versions, ensure register globals is disabled and magic quotes gpc is enabled to prevent exploitation. As a temporary workaround, consider restricting access to the "index.php" and "filemanager.php" endpoints until the issue is resolved. Avoid using the ` FNROOTPATH` parameter in these endpoints until the issue is fixed.

Directory traversal vulnerability in code/track.php in FuzzyLime 3.03 allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the p parameter, a different vector than CVE-2007-4805 and CVE-2008-3165.