H4Ntu

**Name of the Vulnerable Software and Affected Versions** Adam van Dongen Forum (com forum) component (aka phpBB component) versions 1.2.4RC3 and earlier **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in the `phpbb root path` parameter in the download.php file. **Recommendations** For Adam van Dongen Forum (com forum) component (aka phpBB component) versions 1.2.4RC3 and earlier, consider restricting access to the download.php file until a fix is available. Avoid using the `phpbb root path` parameter in the download.php file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** FlashBB versions 1.1.5 and earlier **Description** The issue allows remote attackers to execute arbitrary code via a URL in the `phpbb root path` parameter in the phpbb/getmsg.php file. **Recommendations** For FlashBB versions 1.1.5 and earlier, update to a version later than 1.1.5 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** MambWeather versions 1.8.1 and earlier **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in the `mosConfig absolute path` parameter. This is a result of a PHP remote file inclusion vulnerability in the Savant2/Savant2 Plugin options.php file of the MambWeather component for Mambo. **Recommendations** For MambWeather versions 1.8.1 and earlier, avoid using the `mosConfig absolute path` parameter in the affected API endpoint until the issue is resolved. As a temporary workaround, consider restricting access to the Savant2/Savant2 Plugin options.php file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Mambo versions 4.0j and possibly 4.1 **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in the `mosConfig absolute path` parameter in the LoudMouth Component. This is a result of a PHP remote file inclusion vulnerability in the includes/abbc/abbc.class.php file. **Recommendations** For Mambo version 4.0j, consider restricting access to the `mosConfig absolute path` parameter to minimize the risk of exploitation. For Mambo version 4.1, if affected, apply the same restriction as for version 4.0j. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Mambo versions 0.3 and earlier **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in the `mosConfig absolute path` parameter. This is a result of a PHP remote file inclusion vulnerability in the core/videodb.class.xml.php file of the VideoDB component. **Recommendations** For Mambo versions 0.3 and earlier, consider restricting access to the `mosConfig absolute path` parameter to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Simpleboard Mambo module versions 1.1.0 and earlier **Description** The issue allows remote attackers to execute arbitrary PHP code. This can be achieved by providing a URL in the `sbp` parameter to specific API endpoints, such as "image upload.php" and "file upload.php". **Recommendations** For Simpleboard Mambo module versions 1.1.0 and earlier, consider restricting access to the "image upload.php" and "file upload.php" endpoints until a fix is available. Avoid using the `sbp` parameter in these endpoints to minimize the risk of exploitation.