Cyberlog

**Name of the Vulnerable Software and Affected Versions** NITRO Web Gallery (affected versions not specified) **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `PictureId` parameter in an "open" action, which is part of the index.php file. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Iceberg CMS (affected versions not specified) **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `p id` parameter in the "details.php" file. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Jamroom versions 3.3.0 through 3.3.5 **Description** The issue allows remote attackers to execute arbitrary PHP code when register globals is enabled. This is achieved via a URL in the `jamroom[jm dir]` parameter. **Recommendations** For Jamroom versions 3.3.0 through 3.3.5, consider disabling the register globals setting to prevent exploitation. As a temporary workaround, restrict access to the include/plugins/jrBrowser/purchase.php file until a patch is available. Avoid using the `jamroom[jm dir]` parameter in affected setups until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Jamroom versions 3.3.0 through 3.3.5 **Description** A remote file inclusion issue allows remote attackers to execute arbitrary PHP code via a URL in the `jamroom[jm dir]` parameter. This is related to the include/plugins/jrBrowser/payment.php file. **Recommendations** For Jamroom versions 3.3.0 through 3.3.5, consider restricting access to the vulnerable payment.php file until a patch is available. Avoid using the `jamroom[jm dir]` parameter in the affected API endpoint until the issue is resolved.