Black Code

**Name of the Vulnerable Software and Affected Versions** 35mmslidegallery version 6.0 **Description** The issue allows remote attackers to inject arbitrary web script or HTML. This can be achieved via the `imgdir` parameter in "index.php", and the `w`, `h`, and `t` parameters in "popup.php". **Recommendations** For version 6.0, avoid using the `imgdir`, `w`, `h`, and `t` parameters in the affected API endpoints until the issue is resolved. Restrict access to "index.php" and "popup.php" to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Xtreme Scripts Download Manager version 1.0 **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in the `root` parameter in several PHP files, including "download.php", "manager.php", "admin/scripts/category.php", "includes/add allow.php", "admin/index.php", and "admin/admin/login.php". **Recommendations** For Xtreme Scripts Download Manager version 1.0, consider disabling the `root` parameter in the affected PHP files until a patch is available. Restrict access to the vulnerable PHP files to minimize the risk of exploitation. Avoid using the `root` parameter in the affected API endpoints until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Cantico Ovidentia version 5.8.0 **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in the `babInstallPath` parameter in multiple PHP scripts, including "index.php", "topman.php", "approb.php", "vacadmb.php", "vacadma.php", "vacadm.php", "statart.php", "search.php", "posts.php", "options.php", "login.php", "frchart.php", "flbchart.php", "fileman.php", "faq.php", "event.php", "directory.php", "articles.php", "artedit.php", and "calday.php". **Recommendations** For Cantico Ovidentia version 5.8.0, consider restricting access to the `babInstallPath` parameter in the affected PHP scripts until a patch is available. As a temporary workaround, disabling the execution of arbitrary PHP code via URL parameters in these scripts can help minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** coolphp magazine (affected versions not specified) **Description** The issue concerns multiple cross-site scripting (XSS) vulnerabilities in the index.php file of coolphp magazine. These vulnerabilities allow remote attackers to inject arbitrary web script or HTML via several parameters, including `op`, `nick`, and possibly `0000`, `userinfo`, `comp der`, `encuestas`, and `pagina`. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.