Outlaw

**Name of the Vulnerable Software and Affected Versions** Mambo EstateAgent component (com estateagent) (affected versions not specified) **Description** The issue allows remote attackers to execute arbitrary PHP code when register globals is enabled. This is achieved via a URL in the `mosConfig absolute path` parameter in the estateagent.php file. **Recommendations** For the affected version, consider disabling the `register globals` setting to prevent exploitation until a patch is available. Restrict access to the estateagent.php file in the EstateAgent component to minimize the risk of exploitation. Avoid using the `mosConfig absolute path` parameter in the affected component until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Fusion News version 3.7 **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in the `fpath` parameter in the index.php file. **Recommendations** For Fusion News version 3.7, consider restricting access to the `fpath` parameter in the index.php file to minimize the risk of exploitation. Avoid using the `fpath` parameter with untrusted input until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Mambo (com catalogshop) (affected versions not specified) **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in the `mosConfig absolute path` parameter in the catalogshop.php file of the CatalogShop component. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** AkoComment version 1.1 **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in the `mosConfig absolute path` parameter. This can be achieved by manipulating the API endpoint, although the specific endpoint is not mentioned. The estimated number of potentially affected devices and details about real-world incidents are not provided. **Recommendations** For AkoComment version 1.1, consider restricting access to the `mosConfig absolute path` parameter to minimize the risk of exploitation. Avoid using the `mosConfig absolute path` parameter in sensitive operations until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** FarsiNews versions 2.5.3 and earlier **Description** The issue allows remote attackers to inject arbitrary web script or HTML. This can be achieved via the `month` and `year` parameters in the "index.php" endpoint, and the `mod` parameter in the "admin.php" endpoint. **Recommendations** For FarsiNews versions 2.5.3 and earlier, as a temporary workaround, consider restricting access to the vulnerable parameters `month`, `year`, and `mod` in the affected endpoints until a patch is available. Avoid using these parameters in the "index.php" and "admin.php" endpoints until the issue is resolved.