Haunt It

**Name of the Vulnerable Software and Affected Versions** Simple Machines Forum (SMF) version 2.0.4 **Description** The issue allows for XSS via the `index.php?action=pm;sa=settings;save` sa parameter. This means an attacker could potentially inject malicious scripts into the website, affecting user sessions. **Recommendations** For Simple Machines Forum (SMF) version 2.0.4, update to a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Simple Machines Forum (SMF) version 2.0.4 **Description** The issue allows for local file inclusion, which can result in remote code execution. This is achieved through directory traversal in the `db type` parameter of the install.php file. The vulnerability is exploitable if the install.php file remains present after the installation process. **Recommendations** For version 2.0.4, remove or restrict access to the install.php file to prevent exploitation. As a temporary workaround, consider restricting the `db type` parameter in the install.php file until a patch is available.

**Name of the Vulnerable Software and Affected Versions** gpEasy CMS version 2.3.3 **Description** A cross-site scripting (XSS) issue exists, allowing remote attackers to inject arbitrary web script or HTML via the `jsoncallback` parameter in the index.php/Admin Preferences file. **Recommendations** For gpEasy CMS version 2.3.3, update to a version that fixes this issue to prevent remote attackers from injecting arbitrary web script or HTML.

**Name of the Vulnerable Software and Affected Versions** eFront versions 3.6.10, 3.6.11 build 15059, and earlier **Description** The issue allows remote attackers to obtain sensitive information via an invalid `courses ID` parameter in the `lesson info` module to "index.php", which reveals the installation path in an error message. **Recommendations** For versions 3.6.10, 3.6.11 build 15059, and earlier, consider restricting access to the `lesson info` module until a fix is available. Avoid using the `courses ID` parameter in the affected "index.php" endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Joomla! component nBill (com nbill) version 2.3.2 **Description** A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via the `message` parameter in an income action to "administrator/index.php". **Recommendations** For version 2.3.2, consider restricting access to the `message` parameter in the income action to administrator/index.php until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Open Solution Quick.Cart version 5.0 **Description** The issue allows remote attackers to obtain sensitive information. This can be achieved by providing a long string or invalid characters in a `cookie`, which results in an error message that reveals the installation path. **Recommendations** For Open Solution Quick.Cart version 5.0, consider validating and sanitizing cookie inputs to prevent the disclosure of sensitive information. As a temporary workaround, restrict access to error messages that may contain installation path details until a proper fix is applied.

**Name of the Vulnerable Software and Affected Versions** Yaqas (Yet Another Question & Answer System) version 1.0 Alpha 1 **Description** The issue allows remote attackers to obtain sensitive information via an invalid character in the `PHPSESSID`, which reveals the installation path in an error message. **Recommendations** For Yaqas (Yet Another Question & Answer System) version 1.0 Alpha 1, consider validating and sanitizing user input to prevent the injection of invalid characters into the `PHPSESSID`. As a temporary workaround, restrict access to error messages that may reveal sensitive information about the installation path.

**Name of the Vulnerable Software and Affected Versions** jNews (com jnews) version 7.5.1 **Description** The issue allows remote attackers to obtain sensitive information. This is achieved via the `emailsearch` parameter, which reveals the installation path in an error message. **Recommendations** For version 7.5.1, avoid using the `emailsearch` parameter until the issue is resolved. As a temporary workaround, consider restricting access to the component to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Quick.CMS version 4.0 **Description** A cross-site scripting (XSS) issue exists in the default index page in admin/ due to improper validation of user input. This allows remote attackers to inject arbitrary web script or HTML via the `p` parameter in the affected API endpoint "/admin/". **Recommendations** For Quick.CMS version 4.0, as a temporary workaround, consider restricting access to the default index page in admin/ until a patch is available. Avoid using the `p` parameter in the affected endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** vBulletin version 4.1.12 **Description** A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via a long string in the `subject` parameter when creating a post. **Recommendations** For version 4.1.12, avoid using long strings in the `subject` parameter when creating a post until a fix is available. As a temporary workaround, consider restricting the length of input in the `subject` parameter to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** e107 version 1.0.1 **Description** A cross-site scripting (XSS) issue exists in the registration page, allowing remote attackers to inject arbitrary web script or HTML. **Recommendations** For version 1.0.1, update to a newer version that contains a fix for this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.