Drosophila

**Name of the Vulnerable Software and Affected Versions** iScripts ReserveLogic version 1.0 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `pid` parameter in the packagedetails.php file. **Recommendations** For iScripts ReserveLogic version 1.0, consider restricting access to the packagedetails.php file until a patch is available. As a temporary workaround, avoid using the `pid` parameter in the affected file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** iScripts CyberMatch version 1.0 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `id` parameter in the "profile.php" file. **Recommendations** For iScripts CyberMatch version 1.0, avoid using the `id` parameter in the "profile.php" file until the issue is resolved. As a temporary workaround, consider restricting access to the "profile.php" file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Canteen (com canteen) component version 1.0 for Joomla! **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved by exploiting the `mealid` parameter in the API endpoint "index.php" to execute SQL injection attacks. **Recommendations** For version 1.0 of the Canteen (com canteen) component, avoid using the `mealid` parameter in the "index.php" endpoint until the issue is resolved. As a temporary workaround, consider restricting access to the menu.php file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Joomla! TimeTrack component version 1.2.4 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved by exploiting the `ct id` parameter in a timetrack action to the "index.php" endpoint. **Recommendations** For version 1.2.4, avoid using the `ct id` parameter in the timetrack action to the "index.php" endpoint until the issue is resolved. As a temporary workaround, consider restricting access to the timetrack component to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** com amblog version 1.0 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This can be achieved via the `articleid` or `catid` parameter to the "index.php" endpoint. **Recommendations** For version 1.0, consider restricting access to the `index.php` endpoint until a patch is available, and avoid using the `articleid` and `catid` parameters in this endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Joomla! (affected versions not specified) **Description** A SQL injection issue allows remote attackers to execute arbitrary SQL commands via the `PlayerID` parameter in a player save action to "index.php". **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Joomla! component com jeguestbook version 1.0 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved by exploiting the `d itemid` parameter in an `item detail` action to `index.php`. **Recommendations** For version 1.0, avoid using the `d itemid` parameter in the `item detail` action to `index.php` until the issue is resolved. As a temporary workaround, consider restricting access to the `index.php` endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** JoomlaSeller JS Calendar (com jscalendar) component versions 1.5.1 and 1.5.4 for Joomla! **Description** The issue allows remote attackers to inject arbitrary web script or HTML via the `month` and `year` parameters in a "jscalendar" action to "index.php". **Recommendations** For version 1.5.1, avoid using the `month` and `year` parameters in the affected API endpoint until the issue is resolved. For version 1.5.4, restrict access to the "jscalendar" action in "index.php" to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Joomla! component com jscalendar versions 1.5.1 through 1.5.4 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved by exploiting the `ev id` parameter in a details action to the "index.php" endpoint. **Recommendations** For versions 1.5.1 through 1.5.4, avoid using the `ev id` parameter in the details action to the "index.php" endpoint until a fix is available. Consider restricting access to the com jscalendar component to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Joomla! component com allcinevid version 1.0.0 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved by exploiting the `id` parameter in the "index.php" endpoint. **Recommendations** For version 1.0.0, avoid using the `id` parameter in the "index.php" endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** JQuarks4s (com jquarks4s) component version 1.0.0 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is possible due to a SQL injection vulnerability in the submitSurvey function in controller.php, when magic quotes gpc is disabled. The vulnerability can be exploited via the `q` parameter in a submitSurvey action to "index.php". **Recommendations** For JQuarks4s (com jquarks4s) component version 1.0.0, consider disabling the submitSurvey function in controller.php until a patch is available. Restrict access to the "index.php" endpoint to minimize the risk of exploitation. Avoid using the `q` parameter in the submitSurvey action until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** JExtensions JE Auto (com jeauto) component version 1.0 for Joomla! **Description** The issue allows remote attackers to execute arbitrary SQL commands when magic quotes gpc is disabled. This is achieved by exploiting the `char` parameter in an item action to "index.php". **Recommendations** For version 1.0, consider disabling the component until a patch is available, or ensure that magic quotes gpc is enabled to mitigate the risk of SQL injection attacks.

**Name of the Vulnerable Software and Affected Versions** phpCheckZ version 1.1.0 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `id` parameter when `magic quotes gpc` is disabled. **Recommendations** For phpCheckZ version 1.1.0, consider disabling the `id` parameter in the chart.php file until a patch is available, or enable `magic quotes gpc` to prevent SQL injection attacks.

**Name of the Vulnerable Software and Affected Versions** InterJoomla ArtForms component version 2.1b7.2 RC2 for Joomla! **Description** The issue allows remote attackers to execute arbitrary SQL commands. This can be achieved via the `viewform` parameter in a `(1) ferforms` or `(2) tferforms` action to "index.php", and the `(3) id` parameter in a `vferforms` action to "index.php". **Recommendations** For InterJoomla ArtForms component version 2.1b7.2 RC2, consider disabling the `viewform` and `id` parameters in the affected API endpoints until a patch is available. Restrict access to the "index.php" file with `(1) ferforms`, `(2) tferforms`, or `(3) vferforms` actions to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** InterJoomla ArtForms (com artforms) component version 2.1b7.2 RC2 **Description** The issue allows remote attackers to read arbitrary files via a .. (dot dot) in the `l` parameter in the assets/captcha/includes/alikon/playcode.php file. **Recommendations** For version 2.1b7.2 RC2, consider restricting access to the playcode.php file until a patch is available. As a temporary workaround, avoid using the `l` parameter in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** InterJoomla ArtForms component version 2.1b7.2 RC2 for Joomla! **Description** A cross-site scripting issue allows remote attackers to inject arbitrary web script or HTML via the `afmsg` parameter to "index.php". **Recommendations** For version 2.1b7.2 RC2, consider restricting access to the `afmsg` parameter in the "index.php" endpoint until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Portale e-commerce Creasito version 1.3.16 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is possible via the `username` parameter to (1) "admin/checkuser.php" and (2) "checkuser.php" API endpoints when magic quotes gpc is disabled. **Recommendations** For version 1.3.16, consider disabling the `checkuser.php` and `admin/checkuser.php` endpoints until a patch is available, or restrict access to these endpoints to minimize the risk of exploitation. Avoid using the `username` parameter in the affected API endpoints until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** iScripts EasySnaps version 2.0 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This can be achieved via the `comment` parameter to "add comments.php", the `values` parameter to "tags details.php", or the `begin` parameter to "greetings.php". **Recommendations** For iScripts EasySnaps version 2.0, consider restricting access to the affected API endpoints "add comments.php", "tags details.php", and "greetings.php" to minimize the risk of exploitation. Avoid using the `comment`, `values`, and `begin` parameters in these endpoints until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** phpCommunity 2 version 2.1.8 **Description** The issue allows remote attackers to read arbitrary files due to multiple directory traversal vulnerabilities. This is achieved by including a .. (dot dot) in the `file` parameter to "module/admin/files/show file.php" and the `path` parameter to "module/admin/files/show source.php". **Recommendations** For phpCommunity 2 version 2.1.8, consider restricting access to the "module/admin/files/show file.php" and "module/admin/files/show source.php" until a patch is available. Avoid using the `file` and `path` parameters in the affected API endpoints until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** EZ-Blog version Beta 1 **Description** The issue concerns SQL injection vulnerabilities. When magic quotes gpc is disabled, remote attackers can execute arbitrary SQL commands. This can be achieved via the `storyid` parameter to "public/view.php" or the `kill` parameter to "admin/remove.php". **Recommendations** For EZ-Blog version Beta 1, consider disabling the `storyid` and `kill` parameters in the respective API endpoints "public/view.php" and "admin/remove.php" until a patch is available. Restrict access to these endpoints to minimize the risk of exploitation. Enable magic quotes gpc to prevent SQL injection attacks.