Omid

Name of the Vulnerable Software and Affected Versions: Joomla! versions prior to 1.5 RC2 Description: A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, likely related to the archive section. Recommendations: For versions prior to 1.5 RC2, update to version 1.5 RC2 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** PostNuke version 0.762 **Description** A SQL injection issue exists in the Admin section of PostNuke, allowing remote attackers to execute arbitrary SQL commands. This is achieved via the `hits` parameter in the modules/Downloads/admin.php file. **Recommendations** For PostNuke version 0.762, avoid using the `hits` parameter in the affected admin.php file until a fix is available. As a temporary workaround, consider restricting access to the modules/Downloads/admin.php file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** F-ART BLOG:CMS version 4.1 **Description** The issue allows remote attackers to execute arbitrary SQL commands via the `xagent`, `xpath`, `xreferer`, and `xdns` parameters in admin/plugins/NP Log.php, and the `pitem` parameter in admin/plugins/NP Poll.php. Additionally, remote authenticated users can execute arbitrary SQL commands via the `pageRef` parameter in admin/plugins/NP Referrer.php. **Recommendations** For F-ART BLOG:CMS version 4.1, consider disabling the `NP Log.php`, `NP Poll.php`, and `NP Referrer.php` plugins until a patch is available. Restrict access to the `xagent`, `xpath`, `xreferer`, `xdns`, `pitem`, and `pageRef` parameters to minimize the risk of exploitation. Avoid using these parameters in the affected API endpoints until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Tikiwiki version 1.9.4 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved through SQL injection vulnerabilities in the tiki-g-admin processes.php file, specifically via the `pid` and `where` parameters. **Recommendations** For Tikiwiki version 1.9.4, consider restricting access to the tiki-g-admin processes.php file to minimize the risk of exploitation. Avoid using the `pid` and `where` parameters in this file until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** e107 version 0.7.5 **Description** The issue concerns SQL injection vulnerabilities in the admin section, allowing remote authenticated administrative users to execute arbitrary SQL commands. This is possible via specific parameters in various PHP files, including `linkopentype`, `linkrender`, `link class`, and `link id` in `links.php`, `searchquery` in `users.php`, and `download category class` in `download.php`. **Recommendations** For e107 version 0.7.5, consider restricting access to the admin section and limiting the privileges of administrative users to minimize the risk of exploitation. As a temporary workaround, avoid using the vulnerable parameters `linkopentype`, `linkrender`, `link class`, `link id`, `searchquery`, and `download category class` in the affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** RunCMS version 1.4.1 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `uid` parameter in `class/sessions.class.php`, and the `timezone offset` and `umode` parameters in `class/xoopsuser.php`. **Recommendations** For RunCMS version 1.4.1, consider restricting access to the `class/sessions.class.php` and `class/xoopsuser.php` files until a patch is available. Avoid using the `uid`, `timezone offset`, and `umode` parameters in the affected files to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Simple Machines Forum version 1.1 RC3 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `cur cat` parameter in the Sources/ManageBoards.php file. **Recommendations** For Simple Machines Forum version 1.1 RC3, avoid using the `cur cat` parameter in the affected API endpoint until the issue is resolved. Consider restricting access to the Sources/ManageBoards.php file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Xoops versions prior to 2.0.15 **Description** A SQL injection issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `user avatar` parameter in the edituser.php file. **Recommendations** For versions prior to 2.0.15, update to version 2.0.15 or later to resolve the issue. As a temporary workaround, consider restricting access to the edituser.php file or avoiding the use of the `user avatar` parameter until the update is applied.