Egix

**Name of the Vulnerable Software and Affected Versions** vBulletin versions 5.0.0 through 5.7.5 vBulletin versions 6.0.0 through 6.0.3 **Description** vBulletin versions 5.0.0 through 5.7.5 and 6.0.0 through 6.0.3 are affected by an issue allowing unauthenticated users to invoke protected API controllers' methods when running on PHP 8.1 or later. This is demonstrated by the /api.php?method=protectedMethod pattern. The vulnerability stems from improper handling of API method invocation combined with changes in PHP 8.1's Reflection API behavior. Specifically, the ReflectionMethod::invoke() function in PHP 8.1 and later no longer blocks access to protected methods by default. Attackers can exploit this to trigger sensitive internal functions and achieve remote code execution (RCE). The issue has been exploited in the wild since May 2025, with approximately 42,500+ services found to be potentially affected annually. The vulnerability can be exploited through the `/ajax/api/[controller]/[method]` endpoints, utilizing the `routestring` parameter. A specific example involves the `replaceAdTemplate` method within the `vB Api Ad` controller, where a malicious template can be uploaded and subsequently executed via a crafted request. **Recommendations** vBulletin versions 5.0.0 through 5.7.5: At the moment, there is no information about a newer version that contains a fix for this vulnerability. vBulletin versions 6.0.0 through 6.0.3: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** vBulletin (affected versions not specified) **Description** Certain versions of vBulletin are susceptible to remote code execution due to improper handling of template conditionals within the template engine. Attackers can bypass security checks and execute arbitrary PHP code by crafting template code using an alternative PHP function invocation syntax, such as `var dump("test")`. This issue was exploited in the wild in May 2025. The vulnerability involves the misuse of template conditionals, potentially leading to system compromise. The vulnerability is related to the `replaceAdTemplate` function. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Xenforo versions prior to 2.2.16 **Description** The issue allows code injection. **Recommendations** For versions prior to 2.2.16, update to version 2.2.16 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Xenforo versions prior to 2.2.16 **Description** The issue allows for CSRF, which is a type of attack that tricks a user into performing unintended actions on a web application. **Recommendations** For versions prior to 2.2.16, update to version 2.2.16 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** ImpressCMS versions prior to 1.4.3 **Description** The issue is related to a type confusion in the autologin.php file within the plugins/preloads directory, leading to an Authentication Bypass. This occurs due to the use of the != operator instead of the !== operator. **Recommendations** For versions prior to 1.4.3, update to version 1.4.3 or later to resolve the issue. As a temporary workaround, consider disabling the autologin feature until a patch is available.

**Name of the Vulnerable Software and Affected Versions** ImpressCMS versions prior to 1.4.3 **Description** The issue allows directory traversal via the `image temp` parameter in the `libraries/image-editor/image-edit.php` file. This can potentially lead to unauthorized access to sensitive files on the server. **Recommendations** For versions prior to 1.4.3, update to version 1.4.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the `libraries/image-editor/image-edit.php` file until a patch is applied. Avoid using the `image temp` parameter in the affected file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** ImpressCMS versions prior to 1.4.3 **Description** The issue allows for SQL Injection in the include/findusers.php groups. There is a remote code execution exploit. **Recommendations** For versions prior to 1.4.3, update to version 1.4.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the include/findusers.php file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** ImpressCMS versions prior to 1.4.3 **Description** The issue is related to Incorrect Access Control in ImpressCMS, specifically in the include/findusers.php file, which allows access by unauthenticated attackers who have a security token by design. **Recommendations** For ImpressCMS versions prior to 1.4.3, update to version 1.4.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the include/findusers.php file until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Invision Community (aka IPS Community Suite) versions prior to 4.6.0 **Description** The issue is related to the `IPScmsmodulesfrontpages builder::previewBlock` method interacting unsafely with the `IPS Theme::runProcessFunction` method, allowing for eval-based PHP code injection by a moderator. This is due to incorrect code generation management in the IPS Community Suite software. Exploitation of the issue may allow a remote attacker to execute arbitrary PHP code. **Recommendations** For versions prior to 4.6.0, update to version 4.6.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the `IPScmsmodulesfrontpages builder::previewBlock` method and the `IPS Theme::runProcessFunction` method to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: ExpressionEngine versions prior to 5.4.2 ExpressionEngine versions 6.x prior to 6.0.3 Description: The issue allows PHP code injection by certain authenticated users who can leverage `Translate::save()` to write to an lang.php file under the system/user/language directory. This can be exploited by authenticated users. Recommendations: For ExpressionEngine versions prior to 5.4.2, update to version 5.4.2 or later. For ExpressionEngine versions 6.x prior to 6.0.3, update to version 6.0.3 or later. As a temporary workaround, consider restricting access to the `Translate::save()` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Concrete5 versions 8.5.5 and earlier **Description** The issue is related to the deserialization of untrusted data in the Concrete5 CMS system. The vulnerable code is located within the `controllers/single page/dashboard/system/environment/logging.php` file, specifically in the `Logging::update logging()` method. User input passed through the `logFile` request parameter is not properly sanitized before being used in a call to the `file exists()` PHP function. This can be exploited by malicious users to inject arbitrary PHP objects into the application scope, allowing them to carry out various attacks, such as executing arbitrary PHP code. **Recommendations** For Concrete5 versions 8.5.5 and earlier, consider disabling the `Logging::update logging()` method until a patch is available. Restrict access to the `logFile` request parameter to minimize the risk of exploitation. Avoid using the `logFile` parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: vtiger CRM versions 5.4.0 and earlier Description: The issue allows remote attackers to view files and execute local script code due to local file-include vulnerabilities in the `customerportal.php` file. Recommendations: For versions 5.4.0 and earlier, consider restricting access to the `customerportal.php` file until a fix is available. As a temporary workaround, restrict the execution of local script code in the `customerportal.php` file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** WebCalendar versions prior to 1.2.5 **Description** The issue allows remote attackers to execute arbitrary code via the `form single user login` parameter in the install/index.php file. **Recommendations** For versions prior to 1.2.5, update to version 1.2.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the install/index.php file until a patch is applied. Avoid using the `form single user login` parameter in the affected file until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** SugarCRM CE versions 6.3.1 and earlier **Description** The issue allows remote attackers to execute arbitrary PHP code due to the use of `unserialize()` with user-controlled input in certain scripts. **Recommendations** For SugarCRM CE versions 6.3.1 and earlier, as a temporary workaround, consider restricting access to the affected scripts that utilize `unserialize()` with user-controlled input until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Enalean Tuleap versions 9.6 and prior **Description** The issue exists due to the User::getRecentElements() method using the unserialize() function with a preference value that can be manipulated by malicious users through the REST API interface. This allows an attacker to inject arbitrary PHP objects into the application scope, enabling various attacks, including Remote Code Execution. **Recommendations** For Enalean Tuleap versions 9.6 and prior, consider disabling the User::getRecentElements() method or restricting access to the REST API interface until a patch is available. Avoid using the unserialize() function with user-provided input to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Concrete5 version 5.7.3.1 **Description** The issue is related to a SQL injection vulnerability. **Recommendations** For Concrete5 version 5.7.3.1, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Concrete5 version 5.7.3.1 **Description** The issue concerns multiple cross-site scripting (XSS) vulnerabilities. XSS is a type of security vulnerability that allows an attacker to inject malicious scripts into a website, potentially leading to unauthorized access or control of user sessions. **Recommendations** For Concrete5 version 5.7.3.1, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** PEAR HTML AJAX versions 0.3.0 through 0.5.7 **Description** The issue is related to a PHP Object Injection Vulnerability in the PHP Serializer, which allows remote code execution. The root cause is attributed to an incorrect regular expression. **Recommendations** For versions 0.3.0 through 0.5.7, update to a version that fixes the PHP Object Injection Vulnerability in the PHP Serializer to prevent remote code execution.

**Name of the Vulnerable Software and Affected Versions** DataLife Engine (DLE) version 9.7 **Description** The issue allows remote attackers to execute arbitrary PHP code. This is achieved via the `catlist[]` parameter to "engine/preview.php". The vulnerability is exploited through a `preg replace` function call with an `e` modifier. **Recommendations** For DataLife Engine (DLE) version 9.7, consider restricting access to the "engine/preview.php" endpoint until a patch is available. As a temporary workaround, avoid using the `catlist[]` parameter in the affected endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Joomla! versions 2.5.x through 2.5.9 Joomla! versions 3.0.x through 3.0.3 **Description** The issue allows remote authenticated users to conduct PHP object injection attacks, potentially causing a denial of service. This is due to improper handling of an object obtained by unserializing a cookie in the `plugins/system/remember/remember.php` file. **Recommendations** For Joomla! versions 2.5.x through 2.5.9, update to version 2.5.10 or later. For Joomla! versions 3.0.x through 3.0.3, update to version 3.0.4 or later.