Astharot

**Name of the Vulnerable Software and Affected Versions** NukeBookmarks version 0.6 **Description** The issue allows remote attackers to inject arbitrary web script or HTML via the `catname`, `markname`, `comment`, or `category` parameters, potentially leading to cross-site scripting (XSS) attacks. **Recommendations** For NukeBookmarks version 0.6, consider validating and sanitizing user input for the `catname`, `markname`, `comment`, and `category` parameters to prevent arbitrary web script or HTML injection. As a temporary workaround, restrict access to these parameters until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** NukeBookmarks version 0.6 **Description** A SQL injection issue allows remote attackers to execute arbitrary SQL commands. This is achieved by manipulating the `category` parameter in the marks.php file. **Recommendations** For NukeBookmarks version 0.6, consider restricting access to the marks.php file or the `category` parameter to minimize the risk of exploitation until a patch is available.

**Name of the Vulnerable Software and Affected Versions** NukeBookmarks version 0.6 **Description** The issue allows remote attackers to obtain sensitive information via an invalid `file` or `category` parameter in the marks.php file, which reveals the path in an error message. **Recommendations** For NukeBookmarks version 0.6, consider validating and sanitizing the `file` and `category` parameters to prevent the disclosure of sensitive information. As a temporary workaround, restrict access to the marks.php file until a proper fix is applied.

**Name of the Vulnerable Software and Affected Versions** cpCommerce version 0.5f **Description** The issue allows remote attackers to execute arbitrary code via the `prefix` parameter in the functions.php file. This is a result of a remote file inclusion vulnerability. **Recommendations** For cpCommerce version 0.5f, consider restricting access to the functions.php file or the `prefix` parameter to minimize the risk of exploitation. Avoid using the `prefix` parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.