Mr-M07

**Name of the Vulnerable Software and Affected Versions** Phorum versions 3.2.11 and earlier **Description** A remote file inclusion issue allows attackers to execute arbitrary PHP code via a URL in the `db file` parameter. **Recommendations** For Phorum versions 3.2.11 and earlier, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Fantastic News versions 2.1.4 and earlier **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in the `CONFIG[script path]` parameter. This is a different vector from other known issues. **Recommendations** For Fantastic News versions 2.1.4 and earlier, consider restricting access to the `headlines.php` file until a patch is available. As a temporary workaround, avoid using the `CONFIG[script path]` parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Fantastic News versions 2.1.2 through 2.1.4 **Description** The issue allows remote attackers to include arbitrary files via the `CONFIG[script path]` variable in the archive.php file. **Recommendations** For versions 2.1.2 through 2.1.4, consider restricting access to the archive.php file until a patch is available. As a temporary workaround, avoid using the `CONFIG[script path]` variable in the archive.php file to minimize the risk of exploitation.