Mike Manzotti

#12455of 53,633
21.8Total CVSS
Vulnerabilities · 4
Low
1
Medium
2
High
1
PT-2014-6388
3.5
2014-10-20
Pro Chat Rooms · Pro Chat Rooms Text Chat Rooms · CVE-2014-5276
**Name of the Vulnerable Software and Affected Versions** Pro Chat Rooms Text Chat Rooms version 8.2.0 **Description** The issue allows remote authenticated users to inject arbitrary web script or HTML, which can lead to cross-site scripting (XSS) attacks. This can be achieved via two methods: (1) uploading a malicious profile picture or (2) manipulating the `edit` parameter in the `profiles/index.php` API endpoint. **Recommendations** For Pro Chat Rooms Text Chat Rooms version 8.2.0, consider disabling the profile picture upload feature and restricting access to the `profiles/index.php` endpoint until a patch is available. Avoid using the `edit` parameter in the `profiles/index.php` endpoint to minimize the risk of exploitation.
PT-2014-6331
7.5
2014-08-07
Sphider · Sphider · CVE-2014-5192
**Name of the Vulnerable Software and Affected Versions** Sphider version 1.3.6 **Description** A SQL injection issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `filter` parameter in the "admin/admin.php" endpoint. **Recommendations** For Sphider version 1.3.6, avoid using the `filter` parameter in the "admin/admin.php" endpoint until a patch is available. As a temporary workaround, consider restricting access to the "admin/admin.php" endpoint to minimize the risk of exploitation.
PT-2014-6332
4.3
2014-08-07
Sphider · Sphider · CVE-2014-5193
**Name of the Vulnerable Software and Affected Versions** Sphider version 1.3.6 **Description** A cross-site scripting (XSS) issue exists, allowing remote attackers to inject arbitrary web script or HTML via the `category` parameter in the admin/admin.php file. **Recommendations** For Sphider version 1.3.6, consider restricting access to the `category` parameter in the admin/admin.php file until a patch is available. Avoid using the `category` parameter in the affected endpoint until the issue is resolved.
PT-2014-6333
6.5
2014-08-07
Sphider · Sphider · CVE-2014-5194
**Name of the Vulnerable Software and Affected Versions** Sphider version 1.3.6 **Description** A static code injection issue allows remote authenticated users to inject arbitrary PHP code into settings/conf.php via the ` word upper bound` parameter in admin/admin.php. **Recommendations** For Sphider version 1.3.6, avoid using the ` word upper bound` parameter in the admin/admin.php file until a patch is available. As a temporary workaround, consider restricting access to the admin/admin.php file to minimize the risk of exploitation.