Coloss

Name of the Vulnerable Software and Affected Versions: MKPortal version 1.1.1 Description: The issue allows remote attackers to execute arbitrary SQL commands. This can be achieved via several vectors, including the `idurlo` field in the `delete urlo` function in `index.php` of the urlobox module, the `iden` field in the `update file` and `del file` functions in `index.php` of the reviews module, the `idnews` field in the `delete news` function and the `idcomm` field in the `del comment` function in `index.php` of the news module, the `idcomm` field in the `delete comments` function in `index.php` of the gallery module, the `iden` field in the `edit file`, `update file`, and `del file` functions in `index.php` of the gallery module, the `ide` and `cat` fields in the `slide update` function in `index.php` of the gallery module, and the `iden` field in the `update file` and `del file` functions in `index.php` of the downloads module. Recommendations: As a temporary workaround, consider disabling the `delete urlo`, `update file`, `del file`, `delete news`, `del comment`, `delete comments`, `edit file`, `slide update` functions until a patch is available. Restrict access to the `idurlo`, `iden`, `idnews`, `idcomm`, `ide`, and `cat` fields in the affected modules to minimize the risk of exploitation. Avoid using these fields in the respective API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** PNphpBB2 versions 1.2i and earlier **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `order` parameter in the "viewforum.php" file. **Recommendations** For PNphpBB2 versions 1.2i and earlier, consider restricting access to the "viewforum.php" file until a patch is available. As a temporary workaround, avoid using the `order` parameter in the affected file to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: All In One Control Panel (AIOCP) versions 1.3.010 and earlier Description: The issue allows remote attackers to execute arbitrary SQL commands. This can be achieved via the `xuser name` parameter to "shared/code/cp authorization.php" and the `did` parameter to "public/code/cp downloads.php". Recommendations: For All In One Control Panel (AIOCP) versions 1.3.010 and earlier, consider disabling the `magic quotes gpc` setting to mitigate the risk of SQL injection attacks. As a temporary workaround, restrict access to the `shared/code/cp authorization.php` and `public/code/cp downloads.php` scripts until a patch is available. Avoid using the `xuser name` and `did` parameters in the affected scripts until the issue is resolved.