Boom3Rang

**Name of the Vulnerable Software and Affected Versions** PHP Live! versions 3.2.1 through 3.2.2 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `x` parameter to specific API endpoints, including "message box.php" and "request.php". **Recommendations** For versions 3.2.1 and 3.2.2, consider restricting access to the "message box.php" and "request.php" endpoints until a fix is available. As a temporary workaround, avoid using the `x` parameter in these endpoints to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** com zoom version 2.0 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved by exploiting the `catid` parameter in the "index.php" endpoint. **Recommendations** For version 2.0, avoid using the `catid` parameter in the "index.php" endpoint until the issue is resolved. Consider restricting access to the vulnerable component to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Inout Adserver (affected versions not specified) **Description** The issue allows remote authenticated users to execute arbitrary SQL commands. This is achieved by exploiting the `id` parameter in the ppc-add-keywords.php file. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Joomla! component BookFlip (com bookflip) version 2.1 **Description** A SQL injection issue allows remote attackers to execute arbitrary SQL commands. This is achieved by manipulating the `book id` parameter in the "index.php" endpoint. **Recommendations** For version 2.1 of the BookFlip component, avoid using the `book id` parameter in the index.php endpoint until the issue is resolved. Consider temporarily restricting access to the index.php endpoint to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Joomla! component com ice version 0.5 beta 2 Description: A SQL injection issue allows remote attackers to execute arbitrary SQL commands. This is achieved by manipulating the `catid` parameter in the `index.php` API endpoint. Recommendations: For version 0.5 beta 2, consider restricting access to the `catid` parameter in the `index.php` endpoint until a patch is available. As a temporary workaround, avoid using the `catid` parameter to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** YABSoft Advanced Image Hosting (AIH) Script version 2.3 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `gal` parameter in the gallery list.php file. **Recommendations** For YABSoft Advanced Image Hosting (AIH) Script version 2.3, consider restricting access to the gallery list.php file until a patch is available. As a temporary workaround, avoid using the `gal` parameter in the affected file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** phpComasy version 0.9.1 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `entry id` parameter in the "index.php" file. **Recommendations** For phpComasy version 0.9.1, consider restricting access to the `entry id` parameter in the "index.php" file until a patch is available. As a temporary workaround, avoid using the `entry id` parameter to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: e107 image gallery plugin version 0.9.6.2 Description: The issue allows remote attackers to execute arbitrary SQL commands. This is achieved by exploiting the `image` parameter in an `image-detail` action within the `image gallery.php` file of the Akira Powered Image Gallery plugin. Recommendations: For version 0.9.6.2, consider restricting access to the `image gallery.php` file until a patch is available. As a temporary workaround, avoid using the `image` parameter in the `image-detail` action to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Joomla! com volunteer module version 2.0 Description: The issue allows remote attackers to execute arbitrary SQL commands. This is achieved by exploiting the `job id` parameter in a "jobshow" action to "index.php". Recommendations: For version 2.0 of the com volunteer module, update to a version that fixes this issue. If no specific fix is provided for version 2.0, consider disabling the module until a patch is available to prevent exploitation. As a temporary workaround, restrict access to the "index.php" endpoint for the "jobshow" action to minimize the risk of SQL injection attacks via the `job id` parameter.

**Name of the Vulnerable Software and Affected Versions** GigCalendar (com gigcal) component version 1.0 for Mambo and Joomla! **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved by exploiting the `gigcal gigs id` parameter in a "details" action to the "index.php" endpoint. **Recommendations** For GigCalendar (com gigcal) component version 1.0, avoid using the `gigcal gigs id` parameter in the "details" action to the "index.php" endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Joomla! component mDigg (com mdigg) version 2.2.8 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved by exploiting the `cagtegory` parameter in a `story lists` action to `index.php`. **Recommendations** For version 2.2.8, consider restricting access to the `story lists` action in `index.php` to minimize the risk of exploitation, and avoid using the `cagtegory` parameter until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Joomla! com liveticker module version 1.0 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved by exploiting the `tid` parameter in a "viewticker" action to "index.php". **Recommendations** For version 1.0 of the com liveticker module, avoid using the `tid` parameter in the "viewticker" action to "index.php" until the issue is resolved. Consider temporarily restricting access to the com liveticker module to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** I-Rater Basic (affected versions not specified) **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `idp` parameter in the messages.php file. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Hotel Booking Reservation System (aka HBS) version 1.0.0 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved by exploiting the `r type` parameter in a "showhoteldetails" action to "index.php". **Recommendations** For Hotel Booking Reservation System (aka HBS) version 1.0.0, consider restricting access to the `com hbssearch` component until a patch is available. As a temporary workaround, avoid using the `r type` parameter in the "showhoteldetails" action to "index.php" to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Hotel Booking Reservation System (aka HBS) version 1.0.0 com tophotelmodule component version 1.0 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved by exploiting the `id` parameter in a "showhoteldetails" action to "index.php". **Recommendations** For Hotel Booking Reservation System (aka HBS) version 1.0.0, avoid using the `id` parameter in the "showhoteldetails" action to "index.php" until the issue is resolved. For com tophotelmodule component version 1.0, consider disabling the component until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Joomla! component Books (com books) (affected versions not specified) **Description** The issue allows remote attackers to execute arbitrary SQL commands via the `book id` parameter in a "book details" action to "index.php". **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Joomla! component com contactinfo version 1.0 **Description** A SQL injection issue allows remote attackers to execute arbitrary SQL commands. This is achieved by manipulating the `catid` parameter in the `/index.php` API endpoint. **Recommendations** For version 1.0 of the com contactinfo component, avoid using the `catid` parameter in the /index.php endpoint until the issue is resolved. Consider temporarily restricting access to the Contact Information Module to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Kroax (the kroax) module for PHP-Fusion versions 4.42 and earlier **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `category` parameter in the kroax.php file. **Recommendations** For versions 4.42 and earlier, update to a version later than 4.42 to resolve the issue. As a temporary workaround, consider restricting access to the `kroax.php` file or validating and sanitizing the `category` parameter to prevent SQL injection attacks.

**Name of the Vulnerable Software and Affected Versions** PHP-Fusion (affected versions not specified) **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `lid` parameter in a "detail adverts" action. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** PHP-Fusion Freshlinks module version 1.0 RC1 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `linkid` parameter in the index.php file. **Recommendations** For PHP-Fusion Freshlinks module version 1.0 RC1, consider restricting access to the index.php file until a patch is available, and avoid using the `linkid` parameter in the affected API endpoint.