H4Ck3R#47

**Name of the Vulnerable Software and Affected Versions** PHP Classifieds Ads (affected versions not specified) **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `sid` parameter in the "classi/detail.php" file. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Softbiz Article Directory Script (affected versions not specified) **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `sbiz id` parameter in the "article details.php" file. **Recommendations** For all affected versions, consider restricting access to the `article details.php` file until a patch is available. As a temporary workaround, avoid using the `sbiz id` parameter in the affected file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** MyPhpAuction version 2010 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `id` parameter in the product desc.php file. **Recommendations** For MyPhpAuction version 2010, consider restricting access to the product desc.php file until a patch is available. As a temporary workaround, avoid using the `id` parameter in the affected file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** NetArt Media Blog System version 1.5 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This can be achieved via the `cat` parameter to "index.php" and the `note` parameter to "blog.php". **Recommendations** For NetArt Media Blog System version 1.5, consider restricting access to the `cat` parameter in "index.php" and the `note` parameter in "blog.php" to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Websens CMSbright (affected versions not specified) **Description** A SQL injection issue allows remote attackers to execute arbitrary SQL commands via the `id rub page` parameter in the public/page.php file. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ParsBlogger (affected versions not specified) **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved by exploiting a SQL injection vulnerability in the blog.asp file via the `wr` parameter in the API endpoint. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** InstaGuide Weather (aka Weather for PHP) version 1.0 **Description** The issue allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the `PageName` parameter when `magic quotes gpc` is disabled. This can be exploited by sending a request to the "index.php" endpoint with a specially crafted `PageName` parameter. **Recommendations** For InstaGuide Weather (aka Weather for PHP) version 1.0, consider disabling the execution of files based on user input in the "index.php" file until a patch is available. Restrict access to the `PageName` parameter to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: xKiosk WEB version 3.0.1i Description: The issue allows remote attackers to execute arbitrary PHP code when register globals is enabled. This is achieved by providing a URL in the `PEARPATH` parameter. Recommendations: For xKiosk WEB version 3.0.1i, consider disabling the register globals setting to prevent exploitation. Additionally, restrict access to the system/funcs/xkurl.php file until a patch is available. Avoid using the `PEARPATH` parameter in affected API endpoints until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Nuke Mobile Entertainment 1 addon for PHP-Nuke (affected versions not specified) **Description** The issue allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the `module name` parameter. This can be exploited by sending a request to a vulnerable API endpoint, although the specific endpoint is not mentioned. The attack involves using the `module name` parameter to traverse directories and access files that should be restricted. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** AssetMan versions 2.4a and earlier **Description** The issue allows remote attackers to read arbitrary files via a .. (dot dot) in the `pdf file` parameter in the "download pdf.php" file. **Recommendations** For AssetMan versions 2.4a and earlier, update to a version later than 2.4a to resolve the issue.