Lost.Hacker

**Name of the Vulnerable Software and Affected Versions** MailForm version 1.2 **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in the `theme` parameter in the index.php file. **Recommendations** For MailForm version 1.2, consider restricting access to the index.php file or validating the `theme` parameter to prevent remote file inclusion attacks until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Saurus CMS version 4.7.0 **Description** The issue allows remote attackers to execute arbitrary PHP code. This can be achieved by providing a URL in the `class path` parameter to specific API endpoints, such as "file.php" or "com del.php". **Recommendations** For Saurus CMS version 4.7.0, consider restricting access to the "file.php" and "com del.php" endpoints to minimize the risk of exploitation. Avoid using the `class path` parameter in these endpoints until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** iJoomla Magazine (com magazine) component version 3.0.1 for Joomla! **Description** The issue allows remote attackers to execute arbitrary PHP code. This is achieved by providing a URL in the `config` parameter to `magazine.functions.php`. **Recommendations** For version 3.0.1, consider disabling access to `magazine.functions.php` until a patch is available to prevent exploitation. Restrict the use of the `config` parameter to minimize risk.

**Name of the Vulnerable Software and Affected Versions** AR Web Content Manager (AWCM) version 2.1 final **Description** The issue allows remote attackers to execute arbitrary PHP code. This can be achieved by providing a URL in the `theme file` parameter to specific PHP files, such as includes/window top.php and header.php, or by manipulating the `lang file` parameter in control/common.php. **Recommendations** For AR Web Content Manager (AWCM) version 2.1 final, consider restricting access to the `includes/window top.php` and `header.php` files, as well as the `control/common.php` file, to minimize the risk of exploitation. Avoid using the `theme file` and `lang file` parameters in the affected API endpoints until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Haudenschilt Family Connections CMS (FCMS) version 2.2.3 **Description** The issue allows remote attackers to execute arbitrary PHP code. This can be achieved by providing a URL in the `current user id` parameter to specific API endpoints, such as "familynews.php" and "settings.php". **Recommendations** For version 2.2.3, consider restricting access to the `familynews.php` and `settings.php` endpoints until a patch is available. Avoid using the `current user id` parameter in these endpoints to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** DiY-CMS version 1.0 **Description** The issue allows remote attackers to execute arbitrary PHP code. This can be achieved via a URL in the following parameters: `lang` to "modules/guestbook/blocks/control.block.php", `main module` to "index.php", and `getFile` to "includes/general.functions.php". **Recommendations** For DiY-CMS version 1.0, consider disabling the `lang`, `main module`, and `getFile` parameters in the respective files until a patch is available. Restrict access to the "modules/guestbook/blocks/control.block.php", "index.php", and "includes/general.functions.php" files to minimize the risk of exploitation. Avoid using these parameters in the affected API endpoints until the issue is resolved.