Kw3Rln

**Name of the Vulnerable Software and Affected Versions** XZero Community Classifieds versions 4.95.11 and earlier **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `subcatid` parameter to the "index.php" endpoint. **Recommendations** For versions 4.95.11 and earlier, update to a version later than 4.95.11 to resolve the issue.

Name of the Vulnerable Software and Affected Versions: Entertainment Media Sharing CMS (affected versions not specified) Description: A directory traversal issue exists in the custom.php file, allowing remote attackers to include and execute arbitrary local files. This is achieved by using a .. (dot dot) in the `pagename` parameter. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Entertainment CMS (affected versions not specified) **Description** The issue allows remote attackers to bypass authentication and perform certain administrative actions by setting the `adminLogged` cookie to "Administrator". **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** AV Arcade version 2.1b **Description** The issue allows remote attackers to gain administrative privileges by setting the `ava userid` cookie value to 1, enabling them to perform certain administrative actions. **Recommendations** For AV Arcade version 2.1b, consider restricting access to the admin/index.php page until a fix is available, and avoid using the `ava userid` cookie value of 1 to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** AV Arcade version 2.1b **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved by exploiting the `id` parameter in a 'view page' action to 'index.php'. **Recommendations** For AV Arcade version 2.1b, consider restricting access to the `view page` action in 'index.php' to minimize the risk of exploitation. Avoid using the `id` parameter in the affected endpoint until the issue is resolved.