Ams

**Name of the Vulnerable Software and Affected Versions** Shop-Script Pro version 2.12 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `current currency` parameter in the "index.php" file when the magic quotes gpc setting is disabled. **Recommendations** For Shop-Script Pro version 2.12, consider disabling the use of the `current currency` parameter in the "index.php" file until a patch is available, or enable the magic quotes gpc setting to prevent SQL injection attacks.

**Name of the Vulnerable Software and Affected Versions** Pligg CMS version 9.9.5 Beta **Description** A SQL injection issue allows remote attackers to execute arbitrary SQL commands via the `url` parameter in the `evb/check url.php` file. **Recommendations** For Pligg CMS version 9.9.5 Beta, avoid using the `url` parameter in the `evb/check url.php` file until a patch is available. As a temporary workaround, consider restricting access to the `evb/check url.php` file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** MemHT Portal version 4.0.1 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the X-Forwarded-For HTTP header in the inc/ajax/ajax rating.php file. **Recommendations** For MemHT Portal version 4.0.1, consider restricting access to the inc/ajax/ajax rating.php file until a patch is available. As a temporary workaround, avoid using the X-Forwarded-For HTTP header in this context to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: MemHT Portal versions 3.9.0 and earlier Description: The issue allows remote attackers to execute arbitrary SQL commands. This is possible when the `magic quotes gpc` setting is disabled. Attackers can exploit this by sending a crafted `stats res` cookie to the `index.php` endpoint. Recommendations: For MemHT Portal versions 3.9.0 and earlier, consider enabling the `magic quotes gpc` setting to prevent SQL injection attacks. As a temporary workaround, restrict access to the `inc/inc statistics.php` file until a patch is available.

**Name of the Vulnerable Software and Affected Versions** MemHT Portal versions 3.9.0 and earlier **Description** The issue allows remote attackers to obtain sensitive information via a direct request to `cron.php`, which reveals the installation path in an error message. **Recommendations** For MemHT Portal versions 3.9.0 and earlier, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** moziloCMS version 1.10.1 **Description** The issue allows remote attackers to read arbitrary files due to a directory traversal vulnerability in the download.php file when magic quotes gpc is disabled. This is achieved by using a .. (dot dot) in the `cat` parameter. **Recommendations** For moziloCMS version 1.10.1, consider disabling the download.php file or restricting access to it until a patch is available. Additionally, enabling magic quotes gpc can help mitigate this issue. Avoid using the `cat` parameter in the download.php file until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: fuzzylime (cms) versions 3.01a and earlier Description: The issue allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the `p` parameter. This can be achieved when `magic quotes gpc` is disabled. An example of exploitation is using `content.php`. Recommendations: For versions 3.01a and earlier, consider disabling the `rss.php` script until a patch is available, or enable `magic quotes gpc` to prevent the exploitation of this issue. Restrict access to the `p` parameter in the `rss.php` script to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Neutrino Atomic Edition version 0.8.4 Description: The issue allows remote attackers to read and modify files due to a directory traversal vulnerability in index.php. This can be exploited by manipulating data/sess.php in certain actions, such as 'usb' and 'del pag' actions. It is also possible to leverage this issue for code execution by performing an upload that bypasses access restrictions implemented in sess.php. Recommendations: For Neutrino Atomic Edition version 0.8.4, consider restricting access to the vulnerable index.php file and the data/sess.php file until a patch is available. As a temporary workaround, avoid using the 'usb' and 'del pag' actions in index.php to minimize the risk of exploitation.