Moudi

**Name of the Vulnerable Software and Affected Versions** Virtue Shopping Mall (affected versions not specified) **Description** A SQL injection issue exists in the detail.php file of Virtue Shopping Mall, allowing remote attackers to execute arbitrary SQL commands by manipulating the `prodid` parameter in the API endpoint. **Recommendations** For Virtue Shopping Mall, avoid using the `prodid` parameter in the affected detail.php file until the issue is resolved. Restrict access to the detail.php file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Accessories Me PHP Affiliate Script version 1.4 **Description** The issue concerns multiple cross-site scripting (XSS) vulnerabilities. These vulnerabilities allow remote attackers to inject arbitrary web script or HTML. Specifically, the vulnerabilities can be exploited via the `Keywords` parameter to "search.php" and the `SearchIndex` parameter to "browse.php". **Recommendations** For Accessories Me PHP Affiliate Script version 1.4, avoid using the `Keywords` parameter in the "search.php" endpoint and the `SearchIndex` parameter in the "browse.php" endpoint until the issue is resolved. Consider temporarily restricting access to these endpoints to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Accessories Me PHP Affiliate Script version 1.4 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `Go` parameter in the "browse.php" file. **Recommendations** For Accessories Me PHP Affiliate Script version 1.4, consider restricting access to the `browse.php` file or validating and sanitizing the `Go` parameter to prevent SQL injection attacks. As a temporary workaround, avoid using the `Go` parameter in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** TotalCalendar version 2.4 **Description** A SQL injection issue allows remote attackers to execute arbitrary SQL commands. This is achieved by manipulating the `selectedCal` parameter in a SwitchCal action within the rss.php file. **Recommendations** For TotalCalendar version 2.4, consider restricting access to the rss.php file or the SwitchCal action to minimize the risk of exploitation. Avoid using the `selectedCal` parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** TotalCalendar version 2.4 **Description** A directory traversal issue exists, allowing remote attackers to read arbitrary files and possibly have other unspecified impacts by using a .. (dot dot) in the `box` parameter of the box display.php file. **Recommendations** For TotalCalendar version 2.4, consider restricting access to the box display.php file until a patch is available, and avoid using the `box` parameter with unvalidated input to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** SkaDate Dating (affected versions not specified) **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in the `language id` parameter in the index.php file. This can also be used to include and execute arbitrary local files via directory traversal sequences. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** x10 Adult Media Script version 1.7 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `id` parameter in the "report.php" API endpoint. **Recommendations** For x10 Adult Media Script version 1.7, consider restricting access to the `id` parameter in the report.php endpoint until a patch is available. As a temporary workaround, avoid using the `id` parameter in the affected endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** x10 Adult Media Script version 1.7 **Description** The issue allows remote attackers to inject arbitrary web script or HTML, potentially leading to cross-site scripting (XSS) attacks. This can be achieved through several parameters, including the `pic id` parameter to "includes/video ad.php", the `category` parameter to "linkvideos listing.php", the `id` parameter to "templates/header1.php", and the `key` parameter to "video listing.php". **Recommendations** For x10 Adult Media Script version 1.7, consider disabling the affected parameters, such as `pic id`, `category`, `id`, and `key`, in their respective scripts until a patch is available. Restrict access to the vulnerable scripts, including "includes/video ad.php", "linkvideos listing.php", "templates/header1.php", and "video listing.php", to minimize the risk of exploitation. Avoid using these parameters in the affected API endpoints until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** SkaDate Dating (affected versions not specified) **Description** The issue allows remote attackers to read arbitrary files due to a directory traversal vulnerability in the index.php file. This is achieved by using a .. (dot dot) in the `layout` parameter of the '/index.php' endpoint. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SkaDate Dating (affected versions not specified) **Description** The issue concerns multiple cross-site scripting (XSS) vulnerabilities. These vulnerabilities allow remote attackers to inject arbitrary web script or HTML. The affected API endpoints include "admin/auth.php" and "file uploader.php". **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** XOOPS Celepar Qas module (affected versions not specified) **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved through SQL injection vulnerabilities in the Qas module, specifically via the `codigo` parameter to "aviso.php" and "imprimir.php", and the `cod categoria` parameter to "categoria.php". **Recommendations** For the XOOPS Celepar Qas module, consider restricting access to the "aviso.php", "imprimir.php", and "categoria.php" scripts until a patch is available. As a temporary workaround, avoid using the `codigo` and `cod categoria` parameters in the affected API endpoints. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** RadLance Gold version 7.5 **Description** A cross-site scripting issue exists, allowing remote attackers to inject arbitrary web script or HTML. This is achieved via the `pr` parameter in a 'ulist' action within the index.php file. **Recommendations** For RadLance Gold version 7.5, consider restricting access to the index.php file until a patch is available, or avoid using the `pr` parameter in the 'ulist' action to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Good/Bad Vote (affected versions not specified) **Description** A directory traversal issue exists, allowing remote attackers to include and execute arbitrary local files. This is achieved by using directory traversal sequences in the `id` parameter within a 'dovote' action in the 'vote.php' file. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Good/Bad Vote (affected versions not specified) **Description** A cross-site scripting (XSS) issue exists, allowing remote attackers to inject arbitrary web script or HTML via the `id` parameter in a vote action. This occurs in the vote.php file. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** RadNICS Gold version 5 **Description** The issue concerns multiple cross-site scripting (XSS) vulnerabilities. These vulnerabilities allow remote attackers to inject arbitrary web script or HTML. Specifically, the vulnerabilities can be exploited via the `order` parameter in a "ulist" action and the `fid` parameter in a "view forum" action. **Recommendations** For RadNICS Gold version 5, update the software to a version that includes a fix for these XSS vulnerabilities, if available. As a temporary workaround, consider restricting access to the `index.php` file, especially for the "ulist" and "view forum" actions, to minimize the risk of exploitation. Avoid using the `order` and `fid` parameters in the affected actions until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** RadNICS Gold version 5 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `fid` parameter in a "view forum" action in the index.php file. **Recommendations** For RadNICS Gold version 5, consider restricting access to the index.php file or the "view forum" action to minimize the risk of exploitation. Avoid using the `fid` parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** RadLance Gold version 7.5 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `fid` parameter in a "view forum" action in the index.php file. **Recommendations** For RadLance Gold version 7.5, consider restricting access to the `fid` parameter in the "view forum" action until a patch is available. As a temporary workaround, avoid using the `fid` parameter in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** phpDirectorySource versions 1.x **Description** The issue is related to a cross-site scripting (XSS) vulnerability. This vulnerability allows remote attackers to inject arbitrary web script or HTML via the `st` parameter in the "search.php" file. **Recommendations** For phpDirectorySource version 1.x, consider restricting access to the vulnerable "search.php" file until a patch is available. As a temporary workaround, avoid using the `st` parameter in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** phpDirectorySource versions 1.x **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `st` parameter in the "search.php" file. **Recommendations** For phpDirectorySource version 1.x, consider restricting access to the search.php file until a patch is available. As a temporary workaround, avoid using the `st` parameter in the search functionality to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Miniweb version 2.0 **Description** A cross-site scripting (XSS) issue exists in the Survey Pro module, allowing remote attackers to inject arbitrary web script or HTML via the PATH INFO to "index.php". **Recommendations** For Miniweb version 2.0, update the Survey Pro module to a version that fixes this issue, or as a temporary workaround, consider restricting access to the index.php file to minimize the risk of exploitation.