Larry0

**Name of the Vulnerable Software and Affected Versions** xaviershay-dm-rails gem version 0.10.3.8 **Description** The issue allows local users to discover MySQL credentials by listing a process and its arguments. This is due to a flaw in the `execute()` function in the `/datamapper/dm-rails/blob/master/lib/dm-rails/storage.rb` file, which exposes sensitive information via the process table. A local attack may gain access to MySQL credential information. **Recommendations** For xaviershay-dm-rails gem version 0.10.3.8, consider disabling the `execute()` function in the `/datamapper/dm-rails/blob/master/lib/dm-rails/storage.rb` file as a temporary workaround until a patch is available. Restrict access to sensitive information to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** WordPress Plugin mb.miniAudioPlayer-an HTML5 audio player for your mp3 files version 1.7.6 WordPress Plugin mb.miniAudioPlayer-an HTML5 audio player for your mp3 files versions prior to 1.7.6 **Description** The WordPress Plugin mb.miniAudioPlayer-an HTML5 audio player for your mp3 files is prone to multiple vulnerabilities, including open proxy and security bypass vulnerabilities, due to its failure to properly verify user-supplied input. An attacker may leverage these issues to hide attacks directed at a target site from behind a vulnerable website or to perform otherwise restricted actions. The attacker can subsequently download files with the extensions mp3, mp4a, wav, and ogg from anywhere the web server application has read access to the system. **Recommendations** For version 1.7.6, update to a newer version that contains a fix for this issue. For versions prior to 1.7.6, update to a newer version that contains a fix for this issue. As a temporary workaround, consider restricting access to the plugin's functionality to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** phpzag live add edit delete data tables records with ajax php mysql (affected versions not specified) **Description** The issue is related to SQL injection in the order and column parameters in Records.php. This is due to a lack of protection measures for the SQL query structure in the DataTables library. Exploitation of this issue could allow a remote attacker to impact the confidentiality, integrity, and availability of protected information. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** phpzag live add edit delete data tables records with ajax php mysql (affected versions not specified) **Description** The issue is related to a lack of protection against SQL query structure exploitation, potentially allowing a remote attacker to impact the confidentiality, integrity, and availability of protected information. The vulnerability involves SQL injection with `start` and `length` parameters in Records.php. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** phpzag live add edit delete data tables records with ajax php mysql (affected versions not specified) **Description** The issue is related to a lack of protection against SQL query structure exploitation, potentially allowing a remote attacker to impact the confidentiality, integrity, and availability of protected information. The vulnerability involves SQL injection with the `search` parameter in Records.php. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: DeleGate version 9.9.13 Description: The issue allows local users to gain privileges, as demonstrated by the dgcpnod setuid program. Recommendations: For DeleGate version 9.9.13, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Features version 0.3.0 **Description** The issue allows remote attackers to inject malicious html in the "/tmp" directory. **Recommendations** For version 0.3.0, consider restricting access to the `/tmp` directory to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Easy2map-photos WordPress Plugin version 1.09 **Description** The issue allows SQL Injection due to unsanitized variables, including `mapTemplateName`, `mapName`, `mapSettingsXML`, `parentCSSXML`, `photoCSSXML`, `mapCSSXML`, `mapHTML`, and `mapID`. **Recommendations** For Easy2map-photos WordPress Plugin version 1.09, consider updating to a newer version that addresses this issue, if available. As a temporary workaround, restrict access to the plugin's functionality that utilizes these variables to minimize the risk of exploitation. Avoid using the variables `mapTemplateName`, `mapName`, `mapSettingsXML`, `parentCSSXML`, `photoCSSXML`, `mapCSSXML`, `mapHTML`, and `mapID` in sensitive operations until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** YingZhi Python Programming Language version 1.9 **Description** The issue allows for arbitrary anonymous uploads to the phone's storage. **Recommendations** For version 1.9, consider restricting access to the upload functionality until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Fileutils versions prior to 0.7.1 **Description** The issue concerns a Command Injection vulnerability. It occurs when a user-supplied `url` variable is passed to the shell, allowing for potential command injection. **Recommendations** For versions prior to 0.7.1, update to version 0.7.1 or later to resolve the issue. As a temporary workaround, consider restricting the use of user-supplied `url` variables in the affected function until a patch is available. Avoid using the `url` variable in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Easy2map-photos WordPress Plugin version 1.09 **Description** The issue allows path traversal when specifying file names, enabling the creation of files outside of the upload directory. This is due to a vulnerability in the MapPinImageUpload.php and MapPinIconSave.php files. **Recommendations** For Easy2map-photos WordPress Plugin version 1.09, consider restricting access to the MapPinImageUpload.php and MapPinIconSave.php files until a patch is available. As a temporary workaround, avoid using the plugin's file upload functionality to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Mambo CMS version 4.6.5 **Description** A vulnerability in the scripts thumbs.php, editorFrame.php, editor.php, images.php, manager.php discloses the root path of the webserver. **Recommendations** For Mambo CMS version 4.6.5, consider restricting access to the vulnerable scripts thumbs.php, editorFrame.php, editor.php, images.php, manager.php to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: WordPress Arigato Autoresponder and News letter version 2.5.1.8 Description: The issue is related to a reflected XSS vulnerability that requires administrative privileges to exploit. It is located in the integration-contact-form.html.php file at line 15 and can be triggered via a POST request using the `html id` variable. Recommendations: For WordPress Arigato Autoresponder and News letter version 2.5.1.8, consider restricting access to the integration-contact-form.html.php file until a patch is available, and avoid using the `html id` variable in POST requests to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: No specific software or versions mentioned. Description: The issue involves an XSS vulnerability that can be exploited via a POST request variable `classes` in the integration-contact-form.html.php file at line 14. This vulnerability requires administrative privileges to exploit. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: WordPress Arigato Autoresponder and News letter version 2.5.1.8 Description: The issue is related to a reflected XSS vulnerability that requires administrative privileges to exploit. It is located in the list-user.html.php file and can be triggered via a GET request using the `offset` variable. Recommendations: For WordPress Arigato Autoresponder and News letter version 2.5.1.8, consider restricting access to the list-user.html.php file and avoid using the `offset` variable in GET requests until a patch is available. As a temporary workaround, restrict administrative privileges to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: WordPress Arigato Autoresponder and News letter version 2.5.1.8 Description: The issue is a reflected XSS vulnerability that requires administrative privileges to exploit. Recommendations: For WordPress Arigato Autoresponder and News letter version 2.5.1.8, update to a newer version that contains a fix for this issue.

Name of the Vulnerable Software and Affected Versions: WordPress Arigato Autoresponder and News letter version 2.5.1.8 Description: The issue is a reflected XSS vulnerability that requires administrative privileges to exploit. Recommendations: For WordPress Arigato Autoresponder and News letter version 2.5.1.8, update to a newer version that contains a fix for this issue.

Name of the Vulnerable Software and Affected Versions: No specific software or version is mentioned. Description: The issue involves an XSS vulnerability that can be exploited via the `filter signup date` parameter in the bft list.html.php file, specifically at line 43. This vulnerability requires administrative privileges to exploit. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: WordPress Arigato Autoresponder and News letter version 2.5.1.8 Description: The issue is related to a reflected XSS vulnerability that requires administrative privileges to exploit. It is located in the unsubscribe.html.php file and can be triggered via a GET request to the `email` variable. Recommendations: For WordPress Arigato Autoresponder and News letter version 2.5.1.8, consider restricting access to the unsubscribe.html.php file until a patch is available. As a temporary workaround, avoid using the `email` variable in the affected GET request to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: WordPress Arigato Autoresponder and Newsletter version 2.5.1.8 Description: The issue is related to a blind SQL injection vulnerability that can be exploited via the `del ids` variable by sending a POST request. This vulnerability requires administrative privileges to exploit. Recommendations: For WordPress Arigato Autoresponder and Newsletter version 2.5.1.8, consider restricting access to the `del ids` variable to minimize the risk of exploitation until a patch is available. As a temporary workaround, avoid using the `del ids` variable in POST requests to prevent potential SQL injection attacks.