Knockout

**Name of the Vulnerable Software and Affected Versions** UCenter Home version 2.0 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `shopid` parameter in a "view" action, specifically targeting the shop.php file. **Recommendations** For UCenter Home version 2.0, consider restricting access to the shop.php file until a patch is available, and avoid using the `shopid` parameter in the affected API endpoint.

**Name of the Vulnerable Software and Affected Versions** xWeblog version 2.2 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `makale id` parameter in the oku.asp file. **Recommendations** For xWeblog version 2.2, consider restricting access to the oku.asp file or the `makale id` parameter to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Chipmunk Pwngame version 1.0 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is possible via the `username` and `password` parameters to "authenticate.php" and the `ID` parameter to "pwn.php" when magic quotes gpc is disabled. **Recommendations** For Chipmunk Pwngame version 1.0, consider disabling the `authenticate.php` and `pwn.php` scripts until a patch is available, or restrict access to these scripts to minimize the risk of exploitation. Avoid using the `username`, `password`, and `ID` parameters in the affected API endpoints until the issue is resolved. Additionally, enable magic quotes gpc to prevent SQL injection attacks.

**Name of the Vulnerable Software and Affected Versions** Truworth Flex Timesheet (affected versions not specified) **Description** The issue concerns multiple SQL injection vulnerabilities in the log-in form. These vulnerabilities allow remote attackers to execute arbitrary SQL commands by manipulating the `Username` and `Password` fields in the log-in form. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Site2Nite Auto e-Manager (affected versions not specified) **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved by exploiting the `ID` parameter in the "detail.asp" page. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** wpQuiz version 2.7 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is possible via the `id` and `password` (`pw`) parameters to "admin.php" or "user.php" API endpoints. **Recommendations** For wpQuiz version 2.7, consider restricting access to the "admin.php" and "user.php" API endpoints until a patch is available. As a temporary workaround, avoid using the `id` and `password` (`pw`) parameters in these endpoints to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** phPortal version 1.0 **Description** The issue allows remote attackers to bypass authentication and gain administrative access. This is achieved by setting the `kulladi` cookie to a valid username, exploiting the `uye paneli.php` file in phPortal. **Recommendations** For phPortal version 1.0, consider temporarily restricting access to the `uye paneli.php` file until a patch is available. Additionally, avoid using the `kulladi` cookie for authentication purposes in the affected version. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** sHibby sHop versions 2.2 and earlier **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `sayfa` parameter in the "default.asp" file. **Recommendations** For sHibby sHop versions 2.2 and earlier, consider restricting access to the `sayfa` parameter in the default.asp file until a patch is available. As a temporary workaround, avoid using the `sayfa` parameter in the affected default.asp file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** sHibby sHop versions 2.2 and earlier **Description** The issue allows remote attackers to update a file or have unspecified other impact via a direct request to "upgrade.asp" without requiring administrative authentication. **Recommendations** For sHibby sHop versions 2.2 and earlier, consider restricting access to the "upgrade.asp" file until a patch is available, and ensure that proper administrative authentication is required for any updates.

**Name of the Vulnerable Software and Affected Versions** sHibby sHop versions 2.2 and earlier **Description** The issue allows remote attackers to download a database due to insufficient access control of sensitive information stored under the web root. This can be achieved via a direct request to "Db/urun.mdb". **Recommendations** For versions 2.2 and earlier, consider restricting access to the database file "urun.mdb" to prevent unauthorized downloads until a proper fix is applied.

**Name of the Vulnerable Software and Affected Versions** I-Pos Internet Pay Online Store versions 1.3 Beta and earlier **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `item` parameter in the "index.asp" file. **Recommendations** For versions 1.3 Beta and earlier, consider restricting access to the `item` parameter in the "index.asp" file until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Aterr version 0.9.1 **Description** The issue allows remote attackers to include and execute arbitrary local files. This is achieved by exploiting directory traversal vulnerabilities using a .. (dot dot) in the `class` parameter to "include/functions.inc.php" and the `file` parameter to "include/common.inc.php". **Recommendations** For Aterr version 0.9.1, consider restricting access to the "include/functions.inc.php" and "include/common.inc.php" files to minimize the risk of exploitation. Avoid using the `class` and `file` parameters in the affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Cuteflow Bin version 1.5.0 **Description** The issue allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the `language` parameter in the "login.php" file. **Recommendations** For version 1.5.0, consider restricting access to the `login.php` file or validating the `language` parameter to prevent directory traversal attacks until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Arcadem LE versions 2.04 and earlier **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in the `loadadminpage` parameter in the admin/frontpage right.php file. **Recommendations** For Arcadem LE versions 2.04 and earlier, at the moment, there is no information about a newer version that contains a fix for this vulnerability.