Mohandko

Name of the Vulnerable Software and Affected Versions: FreeNews version 2.1 Description: A directory traversal issue exists, allowing remote attackers to include local files. This is achieved by using a .. (dot dot) sequence in the `chemin` parameter when the `aff news` parameter is not set to "1". Recommendations: For FreeNews version 2.1, as a temporary workaround, consider restricting access to the `chemin` parameter in the affected `aff news.php` file until a patch is available. Avoid using the `chemin` parameter with unvalidated input to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** PHPOutsourcing Zorum versions 3.5 and earlier **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in the `appDirName` parameter in the `gorum/dbproperty.php` file. **Recommendations** For PHPOutsourcing Zorum versions 3.5 and earlier, consider restricting access to the `gorum/dbproperty.php` file until a patch is available. Avoid using the `appDirName` parameter in the affected file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Dayana Networks phpOnline (aka PHP-Online) version 2.1 **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in the `LangFile` parameter in the strload.php file. **Recommendations** For Dayana Networks phpOnline (aka PHP-Online) version 2.1, consider restricting access to the strload.php file to minimize the risk of exploitation. Avoid using the `LangFile` parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.