Don

**Name of the Vulnerable Software and Affected Versions** Fresh Email Script versions 1.0 through 1.11 **Description** The issue is related to a cross-site scripting (XSS) vulnerability. This vulnerability allows remote attackers to inject arbitrary web script or HTML via the `Email` parameter in the register.php file. It can be leveraged to modify cookies and conduct session fixation attacks. **Recommendations** For versions 1.0 through 1.11, update the register.php file to properly sanitize the `Email` parameter to prevent arbitrary web script or HTML injection. As a temporary workaround, consider restricting access to the register.php file until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Fresh Email Script versions 1.0 through 1.11 **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in the `tmp sid` parameter in the url.php file. **Recommendations** For Fresh Email Script versions 1.0 through 1.11, update to a version that fixes this issue to prevent remote attackers from executing arbitrary PHP code.

**Name of the Vulnerable Software and Affected Versions** dotCMS version 1.6.0.9 **Description** The issue allows remote attackers to read arbitrary files due to multiple directory traversal vulnerabilities. This can be achieved by including a .. (dot dot) in the `id` parameter to specific API endpoints, such as "news/index.dot" and "getting started/macros/macros detail.dot". **Recommendations** For dotCMS version 1.6.0.9, as a temporary workaround, consider restricting access to the `id` parameter in the affected API endpoints until a patch is available. Avoid using the `id` parameter in the "news/index.dot" and "getting started/macros/macros detail.dot" endpoints to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** com ewriting version 1.2.1 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved by exploiting the `cat` parameter in a "selectcat" action within the index.php file of the com ewriting module. **Recommendations** For version 1.2.1, consider restricting access to the vulnerable `index.php` file in the com ewriting module until a patch is available. As a temporary workaround, avoid using the `cat` parameter in the "selectcat" action to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** com quran versions 1.1 and earlier **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved by exploiting the `surano` parameter in a "viewayat" action within the index.php file of the com quran component for Mambo and Joomla!. **Recommendations** For com quran versions 1.1 and earlier, consider restricting access to the vulnerable index.php file until a patch is available. As a temporary workaround, avoid using the `surano` parameter in the "viewayat" action to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** MySpace Content Zone (MCZ) version 3.x **Description** The issue concerns the `admin/uploadgames.php` file, which does not require administrative privileges. This allows remote attackers to perform unrestricted file uploads. Attackers can upload malicious files, such as `.php` files or files with names like `.php%00.jpeg`, to potentially execute arbitrary code. **Recommendations** For MySpace Content Zone (MCZ) version 3.x, restrict access to the `admin/uploadgames.php` file to require administrative privileges, and validate all file uploads to prevent malicious files from being uploaded. As a temporary workaround, consider disabling the file upload functionality in `admin/uploadgames.php` until a proper fix is implemented.

Name of the Vulnerable Software and Affected Versions: phpBB versions 2.0.22 and earlier Links MOD version 1.2.2 and earlier Description: The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `start` parameter in a "search" action, specifically targeting the links.php file in the Links MOD for phpBB. Recommendations: For phpBB versions 2.0.22 and earlier, update to a version later than 2.0.22. For Links MOD version 1.2.2 and earlier, update to a version later than 1.2.2. As a temporary workaround, consider restricting access to the links.php file in the Links MOD to minimize the risk of exploitation. Avoid using the `start` parameter in the affected search action until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: Ourspace version 2.0.9 Description: The issue allows remote attackers to upload certain files via unspecified vectors, likely due to unrestricted functionality in the newswire/uploadmedia.cgi script. Recommendations: For Ourspace version 2.0.9, restrict access to the newswire/uploadmedia.cgi script to prevent unauthorized file uploads until a fix is available.