Philipp Niedziela

**Name of the Vulnerable Software and Affected Versions** PHPKit version 1.6.1 RC2 **Description** The issue allows remote attackers to inject arbitrary SQL commands via the `catid` parameter to "include.php" when the `path` parameter is set to "faq/faq.php", and other unspecified vectors involving "guestbook/print.php". **Recommendations** For PHPKit version 1.6.1 RC2, consider restricting access to the `catid` parameter in the "include.php" file when the `path` parameter is set to "faq/faq.php" to minimize the risk of exploitation. Avoid using the `catid` parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** PSYWERKS PUMA version 1.0 RC2 **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in the `fpath` parameter in the config.php file. **Recommendations** For PSYWERKS PUMA version 1.0 RC2, consider restricting access to the `fpath` parameter in the config.php file to minimize the risk of exploitation. Avoid using the `fpath` parameter with untrusted input until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** WEBInsta Mailing List Manager version 1.3e **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in the `cabsolute path` parameter in the install3.php file. **Recommendations** For WEBInsta Mailing List Manager version 1.3e, consider restricting access to the install3.php file to minimize the risk of exploitation. Avoid using the `cabsolute path` parameter in the affected file until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ME Download System version 1.3 **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in the `Vb8878b936c2bd8ae0cab` parameter in the templates/header.php file. **Recommendations** For ME Download System version 1.3, consider restricting access to the templates/header.php file to minimize the risk of exploitation. Avoid using the `Vb8878b936c2bd8ae0cab` parameter in the affected endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** phpAMA versions 3.2.4 and earlier **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in the `installed config file` parameter in the auto check renewals.php file. **Recommendations** For versions 3.2.4 and earlier, update to a version later than 3.2.4 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** USOLVED NEWSolved Lite versions 1.9.2 and earlier **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in the `abs path` parameter to various PHP files, including "newsscript lyt.php", "newsticker/newsscript get.php", "inc/output/news theme1.php", "inc/output/news theme2.php", and "inc/output/news theme3.php". **Recommendations** For USOLVED NEWSolved Lite versions 1.9.2 and earlier, consider restricting access to the `abs path` parameter in the affected PHP files until a patch is available. As a temporary workaround, avoid using the `abs path` parameter in the affected API endpoints until the issue is resolved. Restrict access to the vulnerable PHP files to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** The Search Engine Project (TSEP) version 0.942 **Description** A remote file inclusion issue exists, allowing remote attackers to execute arbitrary PHP code. This is achieved by providing a URL in the `tsep config[absPath]` parameter. **Recommendations** For version 0.942, consider restricting access to the `copyright.php` file to minimize the risk of exploitation. Avoid using the `tsep config[absPath]` parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Albasoftware Phpauction versions 2.1 and possibly later versions, with phpAdsNew 2.0.5 **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in the `phpAds path` parameter. This is a result of a PHP remote file inclusion vulnerability in the `view.inc.php` file of Albasoftware Phpauction. **Recommendations** For Albasoftware Phpauction versions 2.1 and possibly later versions, with phpAdsNew 2.0.5, consider restricting access to the `view.inc.php` file to minimize the risk of exploitation. Avoid using the `phpAds path` parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** PHP Layers Menu versions 2.3.5 and earlier **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in the `myng root` parameter in the `/lib/tree/layersmenu.inc.php` file. **Recommendations** For PHP Layers Menu versions 2.3.5 and earlier, consider restricting access to the `/lib/tree/layersmenu.inc.php` file until a patch is available. Avoid using the `myng root` parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.