D4Igoro

**Name of the Vulnerable Software and Affected Versions** PHPKB Knowledge Base (affected versions not specified) **Description** A cross-site scripting (XSS) issue exists, allowing remote attackers to inject arbitrary web script or HTML via the `searchkeyword` parameter in the "search.php" file. This issue was initially disputed by the vendor but was later acknowledged and fixed. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** PowerClan version 1.14 **Description** A SQL injection issue allows remote attackers to execute arbitrary SQL commands. This is achieved by exploiting the `memberid` parameter in the member.php file. **Recommendations** For PowerClan version 1.14, consider restricting access to the member.php file until a patch is available, and avoid using the `memberid` parameter in this file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Tritanium Bulletin Board (TBB) version 1.2.3 **Description** The issue allows remote attackers to inject arbitrary web script or HTML via the `newuser realname` and `newuser icq` parameters in the register.php file. This is a different vector from a previously known issue. **Recommendations** For version 1.2.3, avoid using the `newuser realname` and `newuser icq` parameters in the register.php file until the issue is resolved. As a temporary workaround, consider restricting access to the register.php file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** UserLand Manila versions 9.5 and earlier **Description** The issue allows remote attackers to inject arbitrary web script or HTML. This can be achieved via the `mode` parameter in `msgReader$1` or at the end of the URI in `viewDepartment$`. **Recommendations** For versions 9.5 and earlier, consider disabling the `msgReader$1` and `viewDepartment$` functions until a patch is available. Restrict access to these functions to minimize the risk of exploitation. Avoid using the `mode` parameter in the affected API endpoint until the issue is resolved.