Matrix_Killer

**Name of the Vulnerable Software and Affected Versions** myWebland MyBloggie version 2.1.3 **Description** The issue allows remote attackers to hijack sessions and conduct cross-site scripting (XSS) attacks via a cookie, due to a CRLF injection vulnerability in index.php and admin.php. **Recommendations** For myWebland MyBloggie version 2.1.3, consider updating to a newer version that addresses the CRLF injection vulnerability in index.php and admin.php to prevent session hijacking and cross-site scripting (XSS) attacks.

**Name of the Vulnerable Software and Affected Versions** Webland MyBloggie version 2.1.3 **Description** A SQL injection issue allows remote attackers to execute arbitrary SQL commands. This can be achieved via the `post id` parameter in "index.php" and the search function. **Recommendations** For Webland MyBloggie version 2.1.3, avoid using the `post id` parameter in "index.php" and restrict access to the search function until a fix is available.

**Name of the Vulnerable Software and Affected Versions** G-Book version 1.0 **Description** A cross-site scripting (XSS) issue exists, allowing remote attackers to inject arbitrary web script or HTML. This is achieved via the `g message` parameter in the guestbook.php file. **Recommendations** For G-Book version 1.0, avoid using the `g message` parameter in the guestbook.php file until a fix is available. As a temporary workaround, consider validating and sanitizing user input to the `g message` parameter to prevent malicious script injection.

**Name of the Vulnerable Software and Affected Versions** phpmyfamily version 1.4.1 **Description** A cross-site scripting (XSS) issue exists, allowing remote attackers to inject arbitrary web script or HTML via the `name` parameter in the "track.php" file. **Recommendations** For phpmyfamily version 1.4.1, consider restricting access to the track.php file until a patch is available, and avoid using the `name` parameter in this file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Land Down Under (LDU) versions 801 and earlier **Description** The issue allows remote attackers to execute arbitrary SQL commands. This can be achieved via the `c` parameter to API endpoints such as "events.php", "index.php", or "list.php". **Recommendations** For versions 801 and earlier, consider restricting access to the `c` parameter in the affected API endpoints until a patch is available. As a temporary workaround, avoid using the `c` parameter in "events.php", "index.php", or "list.php" to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** PHPFreeNews versions 1.40 and earlier **Description** The issue allows remote attackers to inject arbitrary web script or HTML, which can lead to cross-site scripting (XSS) attacks. This is possible via the `NewsMode` parameter to `NewsCategoryForm.php`, or the `Match` or `NewsMode` parameter to `SearchResults.php`. **Recommendations** For PHPFreeNews versions 1.40 and earlier, consider restricting access to the `NewsCategoryForm.php` and `SearchResults.php` scripts until a fix is available. As a temporary workaround, avoid using the `NewsMode` and `Match` parameters in the affected API endpoints.

**Name of the Vulnerable Software and Affected Versions** PHPFreeNews versions 1.40 and earlier **Description** The issue allows remote attackers to execute arbitrary SQL commands. This can be achieved via the `Match` or `CatID` parameter to "SearchResults.php", or the `password` to "AccessControl.php". **Recommendations** For PHPFreeNews versions 1.40 and earlier, as a temporary workaround, consider restricting access to the "SearchResults.php" and "AccessControl.php" scripts until a patch is available. Avoid using the `Match` and `CatID` parameters in the "SearchResults.php" script and the `password` parameter in the "AccessControl.php" script until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.