Breeeeh

**Name of the Vulnerable Software and Affected Versions** VBZooM versions 1.11 and earlier **Description** The issue allows remote attackers to execute arbitrary SQL commands. This can be achieved via the `UserID` parameter to several API endpoints, including "ignore-pm.php", "sendmail.php", "reply.php", and "sub-join.php". **Recommendations** For VBZooM versions 1.11 and earlier, as a temporary workaround, consider restricting access to the "ignore-pm.php", "sendmail.php", "reply.php", and "sub-join.php" endpoints until a patch is available. Avoid using the `UserID` parameter in these affected endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Invision Power Board version 1.3 Final **Description** The issue concerns SQL injection vulnerabilities that could allow remote attackers to execute arbitrary SQL commands. This is allegedly possible via the `CODE` parameter in certain actions in index.php, including Stats, Mail, and Reg. However, the developer has disputed this, stating that the `CODE` parameter does not interact with the database and is used in a SWITCH statement to determine which function to run. **Recommendations** For Invision Power Board version 1.3 Final, consider restricting access to the `CODE` parameter in the affected API endpoints, such as "/index.php" with actions Stats, Mail, and Reg, until the dispute is resolved or more information is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SmS Script (affected versions not specified) **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `CatID` parameter in the following API endpoints: "cat.php" and "add.php". **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** RahnemaCo.com product (affected versions not specified) **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in the `osCsid` parameter in the page.php file. This can be exploited by providing a malicious URL. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** MyBB (aka MyBulletinBoard) version 1.1.1 **Description** A SQL injection issue exists, allowing remote attackers to execute arbitrary SQL commands. This is achieved via the `comma` parameter in the rss.php file. However, the specifics of how this attack can succeed are unclear due to discrepancies between the original report and the extracted source code. **Recommendations** For MyBB (aka MyBulletinBoard) version 1.1.1, as a temporary workaround, consider restricting access to the rss.php file until a patch is available. Avoid using the `comma` parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** MyBB (aka MyBulletinBoard) version 1.1.1 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the comma parameter in the showthread.php file. **Recommendations** For MyBB (aka MyBulletinBoard) version 1.1.1, update to a newer version that contains a fix for this issue to prevent the execution of arbitrary SQL commands.

**Name of the Vulnerable Software and Affected Versions** DCForumLite version 3.0 **Description** A cross-site scripting (XSS) issue exists, allowing remote attackers to inject arbitrary web script or HTML. This is achieved via the `az` parameter in the dcboard.cgi component. **Recommendations** For DCForumLite version 3.0, update the dcboard.cgi component to prevent injection of arbitrary web script or HTML via the `az` parameter. As a temporary workaround, consider restricting access to the dcboard.cgi component until a patch is available. Avoid using the `az` parameter in the affected component until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** DCForumLite version 3.0 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `az` parameter in the dcboard.cgi script. **Recommendations** For version 3.0, update to a newer version that contains a fix for this issue. As a temporary workaround, consider restricting access to the dcboard.cgi script to minimize the risk of exploitation. Avoid using the `az` parameter in the affected script until the issue is resolved.