Net.Edit0R

**Name of the Vulnerable Software and Affected Versions** vBulletin VBSEO module (affected versions not specified) **Description** The issue allows remote authenticated users to execute arbitrary code via the HTTP Referer header to visitormessage.php. This is due to a problem in the functions vbseo hook.php file within the VBSEO module. **Recommendations** For the VBSEO module, consider disabling the functions vbseo hook.php file as a temporary workaround until a patch is available. Restrict access to the visitormessage.php file to minimize the risk of exploitation. Avoid using the HTTP Referer header in the affected module until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** phpAlbum versions 0.4.1.16 and earlier **Description** The issue concerns multiple cross-site scripting (XSS) vulnerabilities. These vulnerabilities allow remote attackers to inject arbitrary web script or HTML via the `var1` and `keyword` parameters in the main.php file. **Recommendations** For phpAlbum versions 0.4.1.16 and earlier, avoid using the `var1` and `keyword` parameters in the main.php file until a fix is available. As a temporary workaround, consider restricting access to the main.php file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** phpAlbum versions 0.4.1.16 and earlier **Description** The issue allows remote attackers to read arbitrary files due to a directory traversal vulnerability in the main.php file. This is achieved by using a .. (dot dot) in the `var1` parameter. **Recommendations** For phpAlbum versions 0.4.1.16 and earlier, consider restricting access to the main.php file or the `var1` parameter to minimize the risk of exploitation until a patch is available.

**Name of the Vulnerable Software and Affected Versions** MantisBT versions prior to 1.2.7 **Description** The issue concerns multiple cross-site scripting (XSS) vulnerabilities. These vulnerabilities allow remote attackers to inject arbitrary web script or HTML via a parameter. For example, the `project id` parameter to the "search.php" endpoint is vulnerable. This could potentially lead to malicious script execution. **Recommendations** For versions prior to 1.2.7, update to version 1.2.7 or later to resolve the issue. As a temporary workaround, consider restricting access to the `filter api.php` file and the `search.php` endpoint to minimize the risk of exploitation. Avoid using the `project id` parameter in the affected endpoint until the issue is resolved.