Dazhi

**Name of the Vulnerable Software and Affected Versions** Philipinho Simple-PHP-Blog versions prior to 94b5d3e57308bce5dfbc44c3edafa9811893d958 **Description** A cross site scripting issue exists in Philipinho Simple-PHP-Blog. The issue is located in the `/login.php` file, specifically involving manipulation of the `Username` parameter. The attack can be carried out remotely. The product is intended for educational purposes only and employs a rolling release strategy, making specific version details for updates unavailable. The exploit has been publicly released. **Recommendations** Versions prior to 94b5d3e57308bce5dfbc44c3edafa9811893d958 should be updated. As a temporary workaround, consider restricting or sanitizing input to the `Username` parameter in the `/login.php` file.

**Name of the Vulnerable Software and Affected Versions** BiggiDroid Simple PHP CMS version 1.0 **Description** A weakness exists in BiggiDroid Simple PHP CMS 1.0. The issue is related to some unknown functionality within the `/admin/editsite.php` file. Manipulation of the `ID` parameter can lead to SQL injection. The attack can be performed remotely. An exploit for this issue has been publicly released. The vendor was contacted regarding this disclosure but did not respond. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: AVL Rooms version 1.0 Description: A vulnerability exists in AVL Rooms that may allow for remote exploitation. The issue is related to SQL injection within the `/profile.php` file, specifically through manipulation of the `first name` parameter. The exploit has been publicly disclosed. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: AVL Rooms version 1.0 Description: A critical issue exists in AVL Rooms that allows for SQL injection. The vulnerability is located in the `/city.php` file, where manipulation of the `city` argument can trigger the attack remotely. The exploit for this issue has been publicly disclosed. Recommendations: As a temporary workaround, consider restricting access to the `/city.php` file until a fix is available. Sanitize the `city` argument to prevent SQL injection attacks.

**Name of the Vulnerable Software and Affected Versions** Bftpd versions prior to 2.4 **Description** The issue is related to the bftpdutmp log function in bftpdutmp.c, which does not properly terminate a string with a '0' character. This could potentially allow remote attackers to cause a denial of service, resulting in the daemon crashing. **Recommendations** For versions prior to 2.4, update to version 2.4 or later to resolve the issue.