Donnie Werner

**Name of the Vulnerable Software and Affected Versions** AspTopSites (affected versions not specified) **Description** The issue concerns SQL injection vulnerabilities that allow remote attackers to execute arbitrary SQL commands. This can be achieved via the `id` parameter to "goto.asp" or the `password` parameter to "includeloginuser.asp". **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: mimicboard2 (Mimic2) versions 086 and earlier Description: The issue allows remote attackers to download a database via a direct request for `mimic2.dat` due to insufficient access control of sensitive information stored under the web root. Recommendations: For mimicboard2 (Mimic2) versions 086 and earlier, consider restricting access to the `mimic2.dat` file until a proper fix is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Mimic2 versions 086 and earlier Description: The issue allows remote attackers to inject arbitrary web script or HTML via unspecified parameters associated with the `name`, `title`, and `comment` sections. This can be demonstrated by referencing a remote document through the SRC attribute of an IFRAME element. Recommendations: For Mimic2 versions 086 and earlier, as a temporary workaround, consider restricting access to the `name`, `title`, and `comment` sections to minimize the risk of exploitation. Avoid using these parameters in the affected sections until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** QuickBlogger versions 1.4 and earlier **Description** A cross-site scripting issue allows remote attackers to inject arbitrary web script or HTML via the `author` and `comment` sections. **Recommendations** For QuickBlogger versions 1.4 and earlier, update to a version later than 1.4 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** TellMe versions 1.2 and earlier **Description** The issue allows remote attackers to obtain sensitive information when the Server and HEAD options are enabled. This is achieved via an invalid `q Host` parameter, which reveals the full pathname of the application in an `fsockopen` error message. **Recommendations** For TellMe versions 1.2 and earlier, as a temporary workaround, consider disabling the Server and HEAD options until a patch is available. Avoid using the `q Host` parameter in affected configurations to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** TellMe versions 1.2 and earlier **Description** A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via the `q IP` (IP) or `q Host` (HOST) parameters. This can lead to the execution of malicious code on the victim's browser. **Recommendations** For TellMe versions 1.2 and earlier, as a temporary workaround, consider restricting access to the parameters `q IP` and `q Host` to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Nexus Concepts Dev Hound versions 2.24 and earlier **Description** The issue allows local users to gain privileges by accessing cleartext username and password information stored in the devhound.tdbd file. **Recommendations** For Nexus Concepts Dev Hound versions 2.24 and earlier, consider removing or securing access to the devhound.tdbd file to prevent unauthorized users from obtaining sensitive information. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Nexus Concepts Dev Hound versions 2.24 and earlier **Description** The issue allows remote attackers to obtain the installation path via a URL containing a non-existent .dll file. **Recommendations** For versions 2.24 and earlier, update to a version later than 2.24 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Nexus Concepts Dev Hound versions 2.24 and earlier **Description** The issue allows remote attackers to inject arbitrary web script or HTML via multiple unspecified user input fields, which can lead to cross-site scripting (XSS) attacks. **Recommendations** For versions 2.24 and earlier, update to a version later than 2.24 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Typsoft FTP Server versions 1.10 through 1.11 **Description** The issue allows remote attackers to cause a denial of service by sending multiple RETR commands when the "Sub Directory Include" option is enabled. **Recommendations** For versions 1.10 and 1.11, consider disabling the "Sub Directory Include" option as a temporary workaround to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** PerlDiver versions 2.x **Description** A cross-site scripting (XSS) issue exists, allowing remote attackers to inject arbitrary web script or HTML via the `module` parameter in the perldiver.cgi file. **Recommendations** For PerlDiver versions 2.x, update to a version that fixes this issue, as using the vulnerable version allows attackers to inject malicious scripts. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** PerlDiver versions 1.x **Description** A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via the query string in perldiver.pl. This issue was initially disputed by the vendor but has since been acknowledged. **Recommendations** For PerlDiver version 1.x, update to a version where this issue has been addressed, as the vendor has acknowledged the problem.

**Name of the Vulnerable Software and Affected Versions** Mac OS X versions 10.4 through 10.4.2 **Description** The issue concerns multiple cross-site scripting (XSS) vulnerabilities in the Weblog Server. These vulnerabilities allow remote attackers to inject arbitrary web script or HTML via unknown vectors. **Recommendations** For Mac OS X versions 10.4 through 10.4.2, update to a version outside of the affected range to mitigate the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Cool Cafe Chat version 1.2.1 **Description** The issue allows remote attackers to obtain sensitive information, including the administrator password and email address, by modifying the nickname value in the modifyUser.asp file. **Recommendations** For Cool Cafe Chat version 1.2.1, consider restricting access to the `modifyUser.asp` file until a patch is available, and avoid using the `nickname` value in the affected file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Cool Cafe Chat version 1.2.1 **Description** The issue allows remote attackers to execute arbitrary SQL commands via the `password` in the login.asp file. **Recommendations** For Cool Cafe Chat version 1.2.1, consider restricting access to the login.asp file until a patch is available. As a temporary workaround, avoid using the `password` variable in the login process to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** SiteStudio version 1.6 **Description** A cross-site scripting (XSS) issue exists in the guestbook component, allowing remote attackers to inject arbitrary web script or HTML. This can be achieved via the `name` field in either the `psoft.guestbook.GuestBookServ` in Standalone Site Studio or the `E-Guest sign.pl` in Integrated Site Studio with H-Sphere. **Recommendations** For SiteStudio version 1.6, consider disabling the guestbook component until a patch is available to prevent exploitation. Restrict access to the `psoft.guestbook.GuestBookServ` and `E-Guest sign.pl` to minimize the risk of XSS attacks. Avoid using the `name` field in the affected guestbook component until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** XAMPP versions 1.4.x **Description** The issue concerns multiple cross-site scripting (XSS) vulnerabilities. These vulnerabilities allow remote attackers to inject arbitrary web script or HTML via specific files, including (1) cds.php, (2) Guestbook-EN.pl, or (3) phonebook.php. **Recommendations** For XAMPP versions 1.4.x, update to a version that includes fixes for these XSS vulnerabilities. As a temporary workaround, consider restricting access to the vulnerable files cds.php, Guestbook-EN.pl, and phonebook.php until a patch is available.

**Name of the Vulnerable Software and Affected Versions** XAMPP versions 1.4.x **Description** The issue allows attackers to gain privileges due to multiple default or null passwords. **Recommendations** For XAMPP version 1.4.x, change the default passwords to secure ones to prevent unauthorized access.

**Name of the Vulnerable Software and Affected Versions** Adventia E-Data version 2.0 **Description** A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via a query keyword. This could potentially lead to unauthorized actions on the affected system. **Recommendations** For Adventia E-Data version 2.0, consider implementing input validation and sanitization for query keywords to prevent the injection of malicious scripts. As a temporary workaround, restrict access to sensitive areas of the application until a proper fix is applied. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Samsung ADSL Modem SMDK8947 version 1.2 **Description** The issue allows remote attackers to gain privileges due to the use of default passwords for the `root`, `admin`, or `user` users. This can be exploited via Telnet or an HTTP request to the "adsl.cgi" endpoint. **Recommendations** For Samsung ADSL Modem SMDK8947 version 1.2, change the default passwords for the `root`, `admin`, and `user` users to prevent unauthorized access. As a temporary workaround, consider restricting access to the "adsl.cgi" endpoint and disabling Telnet until the issue is resolved.