Echoll

**Name of the Vulnerable Software and Affected Versions** Joomla! com phocadocumentation component (affected versions not specified) **Description** A SQL injection issue allows remote attackers to execute arbitrary SQL commands. This is achieved by exploiting the `id` parameter in a section action to "index.php". **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Hotel Booking Reservation System (aka HBS) for Joomla (affected versions not specified) **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `id` parameter in a "showhoteldetails" action to "index.php" in the (1) com allhotels or (2) com 5starhotels module. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** XOOPS xhresim module (affected versions not specified) **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved by exploiting a SQL injection vulnerability in the index.php file of the xhresim module. The vulnerability is triggered via the `no` parameter. **Recommendations** For the xhresim module in XOOPS, consider restricting access to the index.php file until a patch is available. As a temporary workaround, avoid using the `no` parameter in the vulnerable module to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** GesGaleri (affected versions not specified) **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved by exploiting a SQL injection vulnerability in the index.php file of the GesGaleri module for XOOPS, specifically via the `no` parameter. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Makale versions 0.26 and possibly other versions **Description** The issue allows remote attackers to execute arbitrary SQL commands via the `id` parameter in the makale.php file, a module for XOOPS. **Recommendations** For Makale version 0.26, update the module to prevent SQL injection attacks by properly sanitizing the `id` parameter. For other possibly affected versions, ensure that the `id` parameter is validated and sanitized to prevent arbitrary SQL command execution.

**Name of the Vulnerable Software and Affected Versions** Joovili versions 2.x **Description** A directory traversal issue exists, allowing remote attackers to read arbitrary files by utilizing a .. (dot dot) in the `picture` parameter of the include/images.inc.php file. **Recommendations** For Joovili versions 2.x, restrict access to the include/images.inc.php file to minimize the risk of exploitation. Avoid using the `picture` parameter in the affected file until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Joovili versions 3.0.0 through 3.0.6 **Description** A directory traversal issue in joovili.images.php allows remote attackers to read arbitrary files by using a .. (dot dot) in the `picture` parameter. **Recommendations** For versions 3.0.0 through 3.0.6, consider restricting access to the joovili.images.php file until a patch is available. As a temporary workaround, avoid using the `picture` parameter in the affected API endpoint until the issue is resolved.