Mr_Snake_My

**Name of the Vulnerable Software and Affected Versions** vbzoom version 1.11 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `MainID` parameter in the "show.php" file. **Recommendations** For vbzoom version 1.11, consider restricting access to the `MainID` parameter in the "show.php" file to minimize the risk of exploitation. Avoid using the `MainID` parameter until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** vbzoom version 1.11 **Description** The issue allows remote attackers to inject arbitrary web script or HTML, which can lead to multiple cross-site scripting (XSS) vulnerabilities. This is achieved by injecting malicious input via the `UserID` parameter to specific API endpoints, such as "comment.php" or "contact.php". **Recommendations** For vbzoom version 1.11, consider restricting access to the `comment.php` and `contact.php` endpoints until a fix is available, and avoid using the `UserID` parameter in these endpoints to minimize the risk of exploitation.