Mustlive

**Name of the Vulnerable Software and Affected Versions** Subscribe to Comments Plugin versions up to 2.0.7 **Description** A problematic vulnerability was found in the Subscribe to Comments Plugin, affecting an unknown part of the file subscribe-to-comments.php. The manipulation leads to cross site scripting and can be initiated remotely. **Recommendations** For versions up to 2.0.7, upgrade to version 2.0.8 to address this issue. As a temporary workaround, consider restricting access to the affected `subscribe-to-comments.php` file until the upgrade is applied.

**Name of the Vulnerable Software and Affected Versions** Bitrix Site Manager version 12.06.2015 **Description** A problematic vulnerability was found in the Contact Form component of Bitrix Site Manager. The issue arises from the manipulation of the `text` argument with a malicious input, such as `<img src="http://1"; on onerror="$(’p').text(’Hacked’)" />`, leading to basic cross-site scripting. This attack can be launched remotely. The exploit has been publicly disclosed and may be used. **Recommendations** For Bitrix Site Manager version 12.06.2015, consider disabling the Contact Form component until a patch is available to prevent exploitation. Restrict access to the component to minimize the risk of cross-site scripting attacks. Avoid using the `text` argument in the affected component until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** LongTail Video JW Player versions through 5.10.2295 **Description** The issue allows remote attackers to inject arbitrary web script or HTML via the `link`, `logo.link`, or `aboutlink` parameter, or a nested URI scheme name for `javascript`, `asfunction`, or `vbscript`. This enables attackers to execute malicious scripts on the client-side. **Recommendations** For versions through 5.10.2295, consider disabling the parameters `link`, `logo.link`, and `aboutlink` to prevent exploitation until a patch is available. Restrict the use of nested URI scheme names for `javascript`, `asfunction`, or `vbscript` in the JW Player to minimize the risk of cross-site scripting attacks.

**Name of the Vulnerable Software and Affected Versions** Joomla! Googlemaps plugin version 3.2 and earlier **Description** The issue allows remote attackers with control of a sub-domain belonging to a victim domain to cause a denial of service. This is achieved via the `url` parameter to the "plugin googlemap3 kmlprxy.php" endpoint. **Recommendations** For Joomla! Googlemaps plugin version 3.2 and earlier, consider restricting access to the "plugin googlemap3 kmlprxy.php" endpoint to minimize the risk of exploitation. Avoid using the `url` parameter in this endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Joomla Googlemaps plugin versions prior to 3.1 Description: The issue allows remote attackers to cause a denial of service. This can be achieved via the `url` parameter to the "plugin googlemap2 proxy.php" endpoint. Recommendations: For versions prior to 3.1, update to version 3.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** IBM Domino versions 8.5.x before 8.5.3 FP6 IF8 IBM Domino versions 9.x before 9.0.1 FP4 **Description** A cross-site scripting (XSS) issue exists in the web server of IBM Domino when Webmail is enabled. This allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL. **Recommendations** For IBM Domino versions 8.5.x before 8.5.3 FP6 IF8, update to version 8.5.3 FP6 IF8 or later. For IBM Domino versions 9.x before 9.0.1 FP4, update to version 9.0.1 FP4 or later.

**Name of the Vulnerable Software and Affected Versions** ASUS RT-G32 routers versions 2.0.2.6 through 2.0.3.2 **Description** A cross-site request forgery issue allows remote attackers to hijack administrator authentication for requests that change the administrator password via a request to "start apply.htm". **Recommendations** For version 2.0.2.6, update the firmware to a version that is not affected by this issue. For version 2.0.3.2, update the firmware to a version that is not affected by this issue. As a temporary workaround, consider restricting access to the "start apply.htm" endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** ASUS RT-G32 routers versions 2.0.2.6 through 2.0.3.2 **Description** The issue allows remote attackers to inject arbitrary web script or HTML via vulnerable parameters. The parameters `next page`, `group id`, `action script`, or `flag` in the "start apply.htm" endpoint are affected. **Recommendations** For version 2.0.2.6, avoid using the parameters `next page`, `group id`, `action script`, or `flag` in the "start apply.htm" endpoint until a fix is available. For version 2.0.3.2, avoid using the parameters `next page`, `group id`, `action script`, or `flag` in the "start apply.htm" endpoint until a fix is available. As a temporary workaround, consider restricting access to the "start apply.htm" endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** WordPress versions 2.0.11 and earlier **Description** A cross-site request forgery (CSRF) issue exists in the retrospam component, allowing remote attackers to hijack the authentication of administrators for requests that move comments to the moderation list. This occurs due to a vulnerability in the wp-admin/options-discussion.php file. **Recommendations** For WordPress versions 2.0.11 and earlier, update to a version later than 2.0.11 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** The product name cannot be determined. **Description** General information about the issue is not available. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** CMS WebManager-Pro versions prior to 8.1 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `id` parameter in the c.php file. **Recommendations** For versions prior to 8.1, update to version 8.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the c.php file or validating and sanitizing the `id` parameter to prevent SQL injection attacks.

**Name of the Vulnerable Software and Affected Versions** W-Agora versions 4.2.1 and earlier **Description** A directory traversal issue exists, allowing remote attackers to include and execute arbitrary local files. This is achieved by providing a .. (dot dot) in the `bn` parameter of the search.php3 (also known as search.php) file. **Recommendations** For versions 4.2.1 and earlier, consider restricting access to the search.php3 file until a patch is available. As a temporary workaround, avoid using the `bn` parameter in the search.php3 file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** W-Agora versions 4.2.1 and earlier **Description** A cross-site scripting issue allows remote attackers to inject arbitrary web script or HTML via the `bn` parameter in the "search.php3" (also known as "search.php") file. **Recommendations** For versions 4.2.1 and earlier, consider restricting access to the vulnerable "search.php3" file until a patch is available. As a temporary workaround, avoid using the `bn` parameter in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** phpMyAdmin versions 2.11.x through 2.11.11.1 phpMyAdmin versions 3.3.x through 3.3.9.0 **Description** The issue arises from improper handling of missing files, specifically the README, ChangeLog, and LICENSE files. This allows remote attackers to determine the installation path by requesting a nonexistent file. **Recommendations** For phpMyAdmin versions 2.11.x through 2.11.11.1, update to version 2.11.11.2 to resolve the issue. For phpMyAdmin versions 3.3.x through 3.3.9.0, update to version 3.3.9.1 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Mozilla Firefox versions prior to 3.0.9 SeaMonkey version 1.1.17 Mozilla Firefox version 3.6 a1 pre Mozilla versions 1.7.x and earlier **Description** The issue allows remote attackers to conduct cross-site scripting (XSS) attacks via vectors related to injecting a Refresh header or specifying the content of a Refresh header in HTTP responses, due to the failure to block javascript: URIs in Refresh headers. **Recommendations** For Mozilla Firefox versions prior to 3.0.9, update to version 3.0.9 or later. For SeaMonkey version 1.1.17, update to a version later than 1.1.17. For Mozilla Firefox version 3.6 a1 pre, update to a version later than 3.6 a1 pre. For Mozilla versions 1.7.x and earlier, update to a version later than 1.7.x.

**Name of the Vulnerable Software and Affected Versions** myPHPNuke (MPN) versions prior to 1.8.8 8rc2 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `artid` parameter in the printfeature.php file. **Recommendations** For versions prior to 1.8.8 8rc2, update to version 1.8.8 8rc2 or later to resolve the issue. As a temporary workaround, consider restricting access to the printfeature.php file to minimize the risk of exploitation. Avoid using the `artid` parameter in the affected file until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** myPHPNuke (MPN) versions prior to 1.8.8 8rc2 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `sid` parameter in the "print.php" file. **Recommendations** For versions prior to 1.8.8 8rc2, update to version 1.8.8 8rc2 or later to resolve the issue. As a temporary workaround, consider restricting access to the "print.php" file or avoiding the use of the `sid` parameter until the update is applied.

**Name of the Vulnerable Software and Affected Versions** myPHPNuke (MPN) versions prior to 1.8.8 8rc2 **Description** A cross-site scripting (XSS) issue exists, allowing remote attackers to inject arbitrary web script or HTML. This is achieved via the `sid` parameter in the "print.php" file. **Recommendations** For versions prior to 1.8.8 8rc2, update to version 1.8.8 8rc2 or later to resolve the issue. As a temporary workaround, consider restricting access to the print.php file to minimize the risk of exploitation. Avoid using the `sid` parameter in the affected print.php file until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** PowerPhlogger versions 2.2.5 and earlier **Description** The issue allows remote authenticated users to execute arbitrary SQL commands. This is achieved via the `css str` parameter in an edit action. **Recommendations** For PowerPhlogger versions 2.2.5 and earlier, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Captcha! plugin for WordPress versions 2.5d and earlier **Description** The issue allows remote attackers to inject arbitrary web script or HTML via the `captcha ttffolder`, `captcha numchars`, `captcha ttfrange`, or `captcha secret` parameters in the captcha/captcha.php file. **Recommendations** For Captcha! plugin for WordPress versions 2.5d and earlier, update to a version later than 2.5d to resolve the issue.