Qex

**Name of the Vulnerable Software and Affected Versions** Blog Mod versions 0.2.x **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `r` parameter in the weblog posting.php file. **Recommendations** For Blog Mod versions 0.2.x, consider restricting access to the weblog posting.php file until a patch is available. As a temporary workaround, avoid using the `r` parameter in the affected file to minimize the risk of exploitation.

Multiple cross-site scripting (XSS) vulnerabilities in Devsyn Open Bulletin Board (OpenBB) 1.0.6 allow remote attackers to inject arbitrary web script or HTML via (1) the FID parameter in board.php and (2) the TID parameter in read.php. NOTE: the SQL injection issues are already covered by CVE-2005-1612 (read.php) and CVE-2005-2566 (board.php).

**Name of the Vulnerable Software and Affected Versions** DevBB versions 1.0.0 and earlier **Description** A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via the `member` parameter in a "viewpro" action. This could potentially lead to unauthorized actions on behalf of the user. **Recommendations** For DevBB versions 1.0.0 and earlier, as a temporary workaround, consider restricting access to the member.php file until a patch is available. Avoid using the `member` parameter in the affected action until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Verosky Media Instant Photo Gallery versions prior to 1.0.2 **Description** The issue is related to a cross-site scripting (XSS) vulnerability. This vulnerability allows remote attackers to inject arbitrary web script or HTML via the `cat id` parameter in the portfolio.php file. **Recommendations** For versions prior to 1.0.2, update to version 1.0.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the portfolio.php file or validating and sanitizing the `cat id` parameter to prevent malicious input.

**Name of the Vulnerable Software and Affected Versions** Verosky Media Instant Photo Gallery version 1.0.2 **Description** The issue allows remote attackers to execute arbitrary SQL commands via the `id` parameter in the portfolio photo popup.php file, which is not properly cleansed before calling the `count click` function in includes/functions/fns std.php. This could potentially lead to resultant XSS. **Recommendations** For Verosky Media Instant Photo Gallery version 1.0.2, consider disabling the `count click` function in includes/functions/fns std.php or restricting access to the portfolio photo popup.php file until a patch is available. Avoid using the `id` parameter in the affected file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Verosky Media Instant Photo Gallery version 1.0.2 **Description** A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via the `member` parameter in a `viewpro` action in `member.php`. **Recommendations** For Verosky Media Instant Photo Gallery version 1.0.2, avoid using the `member` parameter in the `viewpro` action until the issue is resolved. Consider restricting access to `member.php` to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** FlexBB versions 0.5.7 BETA and earlier **Description** A cross-site scripting issue allows remote attackers to inject arbitrary web script or HTML via the `name` and `message` parameters. **Recommendations** For FlexBB versions 0.5.7 BETA and earlier, avoid using the `name` and `message` parameters in affected API endpoints until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Boardsolution versions 1.12 and earlier **Description** A cross-site scripting (XSS) issue exists in the search action handler in index.php, allowing remote attackers to inject arbitrary web script or HTML via the `keyword` parameter in the "Search for" item. **Recommendations** For versions 1.12 and earlier, as a temporary workaround, consider restricting the use of the search function until a patch is available. Avoid using the `keyword` parameter in the affected search action handler until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** TinyWebGallery versions 1.3 through 1.4 **Description** A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via the `twg album` parameter in the index.php file. This could potentially lead to unauthorized actions on the affected web application. **Recommendations** For TinyWebGallery versions 1.3 through 1.4, consider restricting access to the `twg album` parameter in the index.php file until a patch is available. As a temporary workaround, avoid using the `twg album` parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Snipe Gallery versions 3.1.4 and earlier **Description** A cross-site scripting issue exists, allowing remote attackers to inject arbitrary web script or HTML. This is achieved via the `keyword` parameter in the "search.php" endpoint. **Recommendations** For Snipe Gallery versions 3.1.4 and earlier, update to a version later than 3.1.4 to resolve the issue. As a temporary workaround, consider restricting access to the search.php endpoint or sanitizing the `keyword` parameter to prevent malicious input.