Deluxe89

**Name of the Vulnerable Software and Affected Versions** PaFileDB version 3.1 **Description** A SQL injection issue exists in the auth.php file of PaFileDB when the authmethod is set to cookies. This allows remote attackers to execute arbitrary SQL commands by manipulating the `username` value in the `pafiledbcookie` cookie. **Recommendations** For PaFileDB version 3.1, update the auth.php file to properly sanitize the `username` value in the `pafiledbcookie` cookie to prevent SQL injection attacks. As a temporary workaround, consider restricting access to the auth.php file or disabling the use of cookies as an authmethod until a patch is available.

**Name of the Vulnerable Software and Affected Versions** JGS-XA JGS-Portal versions 3.0.2 and earlier **Description** The issue allows remote attackers to execute arbitrary SQL commands. This can be achieved via several parameters, including `anzahl beitraege` to "jgs portal.php", `year` to "jgs portal statistik.php", "jgs portal beitraggraf.php", "jgs portal themengraf.php", and "jgs portal mitgraf.php", `tag` to "jgs portal viewsgraf.php", `id` to "jgs portal sponsor.php", or the `Accept-Language` header to "jgs portal log.php". **Recommendations** For JGS-XA JGS-Portal versions 3.0.2 and earlier, consider disabling the affected parameters, such as `anzahl beitraege`, `year`, `tag`, and `id`, until a patch is available. Additionally, restrict access to the `Accept-Language` header in "jgs portal log.php" to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** JGS-XA JGS-Portal version 3.0.2 and earlier **Description** The issue allows remote attackers to inject arbitrary web script or HTML via several parameters, including `anzahl beitraege` to "jgs portal.php", `year` to "jgs portal statistik.php", `year` to "jgs portal beitraggraf.php", `tag` to "jgs portal viewsgraf.php", `year` to "jgs portal themengraf.php", `year` to "jgs portal mitgraf.php", `id` to "jgs portal sponsor.php", or the Accept-Language header to "jgs portal log.php". **Recommendations** For JGS-XA JGS-Portal version 3.0.2 and earlier, consider disabling the affected parameters, such as `anzahl beitraege`, `year`, `tag`, and `id`, until a patch is available. Additionally, restrict access to the Accept-Language header in "jgs portal log.php" to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** JGS-XA JGS-Portal versions 3.0.2 and earlier **Description** The issue allows remote attackers to obtain the full server path via direct requests to multiple files, including `jgs portal ref.php`, `jgs portal land.php`, `jgs portal log.php`, `jgs portal global sponsor.php`, `jgs portal global.php`, `jgs portal system.php`, `jgs portal views.php`, and several files in the `jgs portal include` directory, such as `jgs portal boardmenue.php`, `jgs portal forenliste.php`, `jgs portal geburtstag.php`, `jgs portal guckloch.php`, `jgs portal kalender.php`, `jgs portal letztethemen.php`, `jgs portal links.php`, `jgs portal neustemember.php`, `jgs portal newsboard.php`, `jgs portal online.php`, `jgs portal pn.php`, `jgs portal portalmenue.php`, `jgs portal styles.php`, `jgs portal suchen.php`, `jgs portal team.php`, `jgs portal topforen.php`, `jgs portal topposter.php`, `jgs portal umfrage.php`, `jgs portal useravatar.php`, `jgs portal waronline.php`, `jgs portal woonline.php`, or `jgs portal zufallsavatar.php`. **Recommendations** As a temporary workaround, consider restricting direct access to the mentioned files until a patch is available. Restrict access to the `jgs portal include` directory to minimize the risk of exploitation. Avoid using direct requests to the vulnerable files in the `jgs portal include` directory until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: JGS-Portal versions 3.0.1 and earlier Description: A SQL injection issue allows remote attackers to execute arbitrary SQL commands. The issue is related to the `id` parameter in the jgs portal.php file. Recommendations: For JGS-Portal versions 3.0.1 and earlier, update to a version later than 3.0.1 to resolve the issue.

Name of the Vulnerable Software and Affected Versions: WoltLab Burning Board versions 2.3.1 and earlier Description: A cross-site scripting (XSS) issue exists, allowing remote attackers to inject arbitrary web script or HTML. This is achieved via the `hilight` parameter in the "thread.php" file. Recommendations: For versions 2.3.1 and earlier, consider disabling the `hilight` parameter in the thread.php file as a temporary workaround until a patch is available. Restrict access to the thread.php file to minimize the risk of exploitation. Avoid using the `hilight` parameter until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** phpBB Knowledge Base module (affected versions not specified) **Description** The issue allows remote attackers to obtain sensitive information and execute SQL commands. This is achieved by exploiting a SQL injection vulnerability in the kb.php file of the Knowledge Base module. The vulnerability is specifically tied to the `cat` parameter. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** PerlDesk versions 1.x **Description** The issue allows remote attackers to inject arbitrary SQL commands via the `view` parameter. This can potentially lead to unauthorized access or manipulation of database content. **Recommendations** For PerlDesk version 1.x, consider restricting access to the vulnerable parameter `view` to minimize the risk of exploitation. As a temporary workaround, avoid using the `view` parameter in affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.