Blackndoor

**Name of the Vulnerable Software and Affected Versions** XCMS version 1.1 **Description** The issue concerns multiple directory traversal vulnerabilities. These vulnerabilities allow remote attackers to include and execute arbitrary local files. The attack can be performed by including a .. (dot dot) in the `Ent` or `Lang` parameter. **Recommendations** For XCMS version 1.1, consider restricting access to the Module/Galerie.php file until a patch is available. As a temporary workaround, avoid using the `Ent` and `Lang` parameters in sensitive operations to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Ripe Website Manager versions 0.8.9 and earlier **Description** The issue allows remote attackers to execute arbitrary PHP code. This can be achieved by providing a URL in the `level` parameter to specific PHP files, such as `admin/includes/author panel header.php` or `admin/includes/admin header.php`. **Recommendations** For Ripe Website Manager versions 0.8.9 and earlier, consider disabling access to the `admin/includes/author panel header.php` and `admin/includes/admin header.php` files until a fix is available. Restrict input for the `level` parameter to prevent remote file inclusion. At the moment, there is no information about a newer version that contains a fix for this vulnerability.