H4Cky0U

**Name of the Vulnerable Software and Affected Versions** Oi! Email Marketing System version 3.0 **Description** The issue allows local users with superadministrator privileges, or attackers who have obtained access to the web page, to view the server's FTP password stored in cleartext on a Configuration web page. **Recommendations** For Oi! Email Marketing System version 3.0, consider restricting access to the Configuration web page to minimize the risk of exploitation. As a temporary workaround, limit the privileges of local users to prevent them from accessing sensitive configuration details. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Alstrasoft Epay Pro versions 2.0 and earlier **Description** The issue allows remote attackers to read arbitrary files due to a directory traversal vulnerability in the index.php file. This is achieved by using a .. (dot dot) in the `read` parameter. **Recommendations** For Alstrasoft Epay Pro versions 2.0 and earlier, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Subscribe Me Pro versions 2.044.09P and earlier **Description** A directory traversal issue exists, allowing remote attackers to read arbitrary files by utilizing a .. (dot dot) in the `l` parameter. **Recommendations** For versions 2.044.09P and earlier, update to a version later than 2.044.09P to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** PHPFreeNews versions 1.40 and earlier **Description** The issue allows remote attackers to execute arbitrary SQL commands. This can be achieved via the `Match` or `CatID` parameter to "SearchResults.php", or the `password` to "AccessControl.php". **Recommendations** For PHPFreeNews versions 1.40 and earlier, as a temporary workaround, consider restricting access to the "SearchResults.php" and "AccessControl.php" scripts until a patch is available. Avoid using the `Match` and `CatID` parameters in the "SearchResults.php" script and the `password` parameter in the "AccessControl.php" script until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** PHPFreeNews versions 1.40 and earlier **Description** The issue allows remote attackers to inject arbitrary web script or HTML, which can lead to cross-site scripting (XSS) attacks. This is possible via the `NewsMode` parameter to `NewsCategoryForm.php`, or the `Match` or `NewsMode` parameter to `SearchResults.php`. **Recommendations** For PHPFreeNews versions 1.40 and earlier, consider restricting access to the `NewsCategoryForm.php` and `SearchResults.php` scripts until a fix is available. As a temporary workaround, avoid using the `NewsMode` and `Match` parameters in the affected API endpoints.