Injector

**Name of the Vulnerable Software and Affected Versions** Open Auto Classifieds version 1.4.3b **Description** The issue allows remote attackers to execute arbitrary SQL commands. This can be achieved via two main vectors: the `id` parameter to "listings.php" and the `username` field to "login.php". **Recommendations** For Open Auto Classifieds version 1.4.3b, consider restricting access to the "listings.php" and "login.php" scripts until a patch is available. As a temporary workaround, avoid using the `id` parameter in "listings.php" and the `username` field in "login.php" to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** phpDirectorySource version 1.1.06 **Description** The issue concerns SQL injection vulnerabilities. Remote attackers can execute arbitrary SQL commands. This is possible via the `lid` parameter to "show.php" and the `login` parameter to "admin.php" when `magic quotes gpc` is disabled. **Recommendations** For phpDirectorySource version 1.1.06, consider disabling the `magic quotes gpc` feature to prevent SQL injection attacks, or update the `show.php` and `admin.php` files to properly sanitize the `lid` and `login` parameters. As a temporary workaround, restrict access to the "show.php" and "admin.php" files until a patch is available.

**Name of the Vulnerable Software and Affected Versions** cpLinks version 1.03 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is possible via the `admin username` parameter to "admin/index.php" and the `search text` and `search category` parameters to "search.php", when magic quotes gpc is disabled. **Recommendations** For cpLinks version 1.03, consider disabling the use of the `admin username`, `search text`, and `search category` parameters until a patch is available. Additionally, enabling magic quotes gpc can help mitigate the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** cpLinks version 1.03 **Description** The issue allows remote attackers to inject arbitrary web script or HTML via the `search text` and `search category` parameters in the "search.php" file. This reportedly occurs in a forced SQL error message. **Recommendations** For cpLinks version 1.03, consider restricting the input for the `search text` and `search category` parameters to prevent arbitrary web script or HTML injection until a patch is available. As a temporary workaround, avoid using the `search text` and `search category` parameters in the affected "search.php" file.

**Name of the Vulnerable Software and Affected Versions** fipsCMS (affected versions not specified) **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `lg` parameter in the `/modules/print.asp` API endpoint. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** PHPEasyData version 1.5.4 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `cat id` parameter in the annuaire.php file. **Recommendations** For PHPEasyData version 1.5.4, consider restricting access to the annuaire.php file until a patch is available, and avoid using the `cat id` parameter in this file to minimize the risk of exploitation.