Drago84

Name of the Vulnerable Software and Affected Versions: MDweb versions 1.3 and earlier Description: The issue allows remote attackers to execute arbitrary PHP code via a URL in the `chemin appli` parameter in specific PHP files, including "admin/inc/organisations/form org.inc.php" and "admin/inc/organisations/country insert.php". Recommendations: For MDweb versions 1.3 and earlier, consider restricting access to the `chemin appli` parameter in the affected PHP files until a patch is available. As a temporary workaround, consider disabling the execution of remote PHP code in the "admin/inc/organisations/form org.inc.php" and "admin/inc/organisations/country insert.php" files. Avoid using the `chemin appli` parameter in the affected files until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** CDS Agenda versions 4.2.9 and earlier **Description** A remote file inclusion issue in the modification/SendAlertEmail.php file allows remote attackers to execute arbitrary PHP code via a URL in the `AGE` parameter. **Recommendations** For versions 4.2.9 and earlier, update to a version later than 4.2.9 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** VAMP Webmail versions 2.0beta1 and earlier **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in the `no url` parameter in the `yesno.phtml` file. **Recommendations** For VAMP Webmail versions 2.0beta1 and earlier, consider restricting access to the `yesno.phtml` file to minimize the risk of exploitation. Avoid using the `no url` parameter in the affected endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** A-Blog 2 (affected versions not specified) **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in the `navigation start` parameter in the navigation/menu.php file. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Kristian Niemi Polaring versions 00.04.03 and earlier **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in the ` SESSION[dirMain]` parameter. This can be exploited by providing a malicious URL, potentially leading to code execution on the server. **Recommendations** For versions 00.04.03 and earlier, consider restricting access to the `view/general.php` file until a patch is available. As a temporary workaround, avoid using the ` SESSION[dirMain]` parameter in sensitive operations to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Web-News versions 1.6.3 and earlier **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in the `content page` parameter in the webnews/template.php file. **Recommendations** For Web-News versions 1.6.3 and earlier, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ZoomStats versions 1.0.2 and earlier **Description** The issue allows remote attackers to execute arbitrary PHP code when register globals is enabled. This is achieved via a URL in the `GLOBALS[lib][db][path]` parameter. **Recommendations** For ZoomStats versions 1.0.2 and earlier, consider disabling the register globals setting to prevent exploitation. Additionally, restrict access to the libs/dbmax/mysql.php file until a fix is available. Avoid using the `GLOBALS[lib][db][path]` parameter in URLs for the affected versions.

**Name of the Vulnerable Software and Affected Versions** Security Images (com securityimages) component versions 3.0.5 and earlier for Joomla! **Description** The issue allows remote attackers to execute arbitrary code via a URL in the `mosConfig absolute path` parameter in several PHP files, including "configinsert.php", "lang.php", "client.php", and "server.php". **Recommendations** For Security Images (com securityimages) component versions 3.0.5 and earlier, update to a version later than 3.0.5 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Thatware versions 0.4.6 and possibly earlier **Description** A remote file inclusion issue in config.php allows remote attackers to execute arbitrary PHP code via a URL in the `root path` parameter. **Recommendations** For versions 0.4.6 and earlier, consider restricting access to the config.php file to minimize the risk of exploitation. Avoid using the `root path` parameter in the affected config.php file until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Spaminator versions 1.7 and earlier **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in the `page` parameter in the Login.php file. **Recommendations** For Spaminator versions 1.7 and earlier, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** MVCnPHP version 3.0 **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in the `glConf[path library]` parameter to specific PHP files, including (1) BaseCommand.php, (2) BaseLoader.php, and (3) BaseView.php. **Recommendations** For MVCnPHP version 3.0, consider restricting access to the `glConf[path library]` parameter to prevent remote file inclusion attacks. As a temporary workaround, restrict access to the vulnerable PHP files, including BaseCommand.php, BaseLoader.php, and BaseView.php, until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Chaussette version 080706 and earlier **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in the ` BASE` parameter to various scripts in the Classes/ directory, including `Evenement.php`, `Event.php`, `Event for month.php`, `Event for week.php`, `My Log.php`, `My Smarty.php`, and possibly `Event for month per day.php`. **Recommendations** For Chaussette version 080706 and earlier, consider restricting access to the vulnerable scripts in the Classes/ directory until a patch is available. As a temporary workaround, avoid using the ` BASE` parameter in the affected scripts.

**Name of the Vulnerable Software and Affected Versions** phNNTP versions 1.3 and earlier **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in the `file newsportal` parameter. This can be exploited by providing a malicious URL to the vulnerable parameter, potentially leading to the execution of arbitrary code. **Recommendations** For phNNTP versions 1.3 and earlier, as a temporary workaround, consider restricting access to the `article-raw.php` file until a patch is available. Avoid using the `file newsportal` parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** See-Commerce versions 1.0.625 and earlier **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in the `path` parameter in the owimg.php3 file. **Recommendations** For See-Commerce versions 1.0.625 and earlier, consider restricting access to the owimg.php3 file until a patch is available. As a temporary workaround, avoid using the `path` parameter in the affected file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** hitweb versions 4.2 and earlier **Description** The issue allows remote attackers to execute arbitrary PHP code via the `REP INC` parameter in the genpage-cgi.php file. **Recommendations** For hitweb versions 4.2 and earlier, consider restricting access to the genpage-cgi.php file to minimize the risk of exploitation. As a temporary workaround, avoid using the `REP INC` parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Colophon versions 1.2 and earlier for Joomla! **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in the `mosConfig absolute path` parameter in the administrator/components/com colophon/admin.colophon.php file. **Recommendations** For Colophon versions 1.2 and earlier, consider restricting access to the administrator/components/com colophon/admin.colophon.php file until a patch is available. Avoid using the `mosConfig absolute path` parameter in the affected file to minimize the risk of exploitation.