Blindkey

**Name of the Vulnerable Software and Affected Versions** 74cms version 3.2.0 **Description** The issue is related to a lack of protection against SQL query structure attacks in the `plus/ajax street.php` component of the 74cms system. This can be exploited by a remote attacker to execute arbitrary SQL queries through the `x` parameter. **Recommendations** For 74cms version 3.2.0, consider restricting access to the `plus/ajax street.php` endpoint until a patch is available, and avoid using the `x` parameter in this endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** DedeCMS version 5.7 **Description** The issue is related to a SQL Injection vulnerability. It can be exploited via the `mdescription` parameter to the "member/ajax membergroup.php" API endpoint. **Recommendations** For DedeCMS version 5.7, avoid using the `mdescription` parameter in the "member/ajax membergroup.php" endpoint until the issue is resolved. As a temporary workaround, consider restricting access to the "member/ajax membergroup.php" endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** phpCMS 2007 SP6 build 0805 **Description** The issue is related to a SQL Injection vulnerability. It can be exploited via the `digg mod` parameter to the "digg add.php" endpoint. **Recommendations** For phpCMS 2007 SP6 build 0805, consider restricting access to the "digg add.php" endpoint until a fix is available. As a temporary workaround, avoid using the `digg mod` parameter in the affected endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** phpCMS version 9.1.13 **Description** The issue is related to a Directory Traversal vulnerability. It can be exploited via the `q` parameter to the "public get suggest keyword" endpoint. **Recommendations** For phpCMS version 9.1.13, consider restricting access to the "public get suggest keyword" endpoint until a patch is available. As a temporary workaround, avoid using the `q` parameter in this endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** phpCMS 2008 sp4 **Description** The issue allows remote malicious users to execute arbitrary php commands. This is achieved via the `pagesize` parameter to the "yp/product.php" endpoint. **Recommendations** For phpCMS 2008 sp4, consider restricting access to the "yp/product.php" endpoint or avoid using the `pagesize` parameter until a fix is available.

**Name of the Vulnerable Software and Affected Versions** phpCMS 2008 sp4 **Description** The issue is related to SQL Injection in phpCMS via the `genre` parameter to "yp/job.php" API endpoint. **Recommendations** For phpCMS 2008 sp4, as a temporary workaround, consider restricting access to the "yp/job.php" API endpoint until a patch is available. Avoid using the `genre` parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ECShop version 2.7.6 **Description** The issue is related to SQL Injection via the `goods number` parameter to the "flow.php" endpoint. This allows for potential exploitation. **Recommendations** For ECShop version 2.7.6, avoid using the `goods number` parameter in the "flow.php" endpoint until the issue is resolved. As a temporary workaround, consider restricting access to the "flow.php" endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** ECShop version 3.0 **Description** The issue is related to SQL injection in ECShop 3.0, specifically via the `aid` parameter to the "admin/affiliate ck.php" endpoint. This allows for potential SQL injection attacks. **Recommendations** For ECShop version 3.0, consider restricting access to the "admin/affiliate ck.php" endpoint until a patch is available. As a temporary workaround, avoid using the `aid` parameter in the affected endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** 74cms version 3.2.0 **Description** The issue is related to SQL Injection in 74cms via the query parameter to "plus/ajax common.php". **Recommendations** For 74cms version 3.2.0, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** 74cms version 3.2.0 **Description** The issue is related to SQL Injection in 74cms via the `id` parameter to "wap/wap-company-show.php". **Recommendations** For 74cms version 3.2.0, as a temporary workaround, consider restricting access to the "wap/wap-company-show.php" endpoint until a patch is available. Avoid using the `id` parameter in this endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** 74cms version 3.2.0 **Description** The issue is related to a lack of protection against SQL query structure exploitation in the `ajax officebuilding.php` component of the 74cms system. This can allow a remote attacker to execute arbitrary SQL queries via the `x` parameter. **Recommendations** For 74cms version 3.2.0, consider restricting access to the `ajax officebuilding.php` component until a patch is available, and avoid using the `x` parameter in this context to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** 74cms version 3.2.0 **Description** The issue is related to a lack of protection against SQL structure attacks in the plus/ajax street.php component of the 74cms system. This can be exploited by a remote attacker to execute arbitrary SQL queries via the `key` parameter. **Recommendations** For 74cms version 3.2.0, consider restricting access to the plus/ajax street.php endpoint until a patch is available, and avoid using the `key` parameter in this endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** ECShop version 3.0 **Description** The issue is related to a lack of measures to neutralize special elements used in SQL queries, which can be exploited by a remote attacker to execute arbitrary SQL code. This can be done by executing the admin/shophelp.php script with the `id` parameter. **Recommendations** For ECShop version 3.0, consider restricting access to the admin/shophelp.php script or disabling the use of the `id` parameter until a patch is available. As a temporary workaround, avoid using the `id` parameter in the affected API endpoint until the issue is resolved.