Rahim

**Name of the Vulnerable Software and Affected Versions** IncCMS Core versions 1.0.0 and earlier **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in the `inc dir` parameter in the inc/settings.php file. **Recommendations** For IncCMS Core versions 1.0.0 and earlier, consider restricting access to the inc/settings.php file until a patch is available. Avoid using the `inc dir` parameter in the affected file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** VideoDB versions 2.2.1 and earlier **Description** The issue allows remote attackers to execute arbitrary PHP code via the `config[pdf module]` parameter in the core/pdf.php file. **Recommendations** For VideoDB versions 2.2.1 and earlier, update to a version later than 2.2.1 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** ProManager version 0.73 **Description** A SQL injection issue exists, allowing remote attackers to execute arbitrary SQL commands. This is achieved via the `note id` parameter in the note.php file. **Recommendations** For ProManager version 0.73, consider restricting access to the note.php file or validating and sanitizing the `note id` parameter to prevent SQL injection attacks. As a temporary workaround, avoid using the `note id` parameter in the affected note.php file until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Shadows Rising RPG (Pre-Alpha) versions 0.0.5b and earlier **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in the `CONFIG[gameroot]` parameter to various PHP files, including (1) core/includes/security.inc.php, (2) core/includes/smarty.inc.php, (3) qcms/includes/smarty.inc.php, or (4) qlib/smarty.inc.php. **Recommendations** For Shadows Rising RPG (Pre-Alpha) versions 0.0.5b and earlier, consider restricting access to the `CONFIG[gameroot]` parameter to minimize the risk of exploitation. Avoid using the `CONFIG[gameroot]` parameter in the affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** NES Game and NES System version c108122 and earlier **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in the `phphtmllib` parameter to various scripts, including `includes.php`, `divtag utils.php`, `form utils.php`, `html utils.php`, `localinc.php`, `FooterNav.php`, `HTMLPageClass.php`, `InfoTable.php`, `NavTable.php`, and `TextNav.php`. **Recommendations** For NES Game and NES System version c108122 and earlier, consider disabling the `phphtmllib` parameter in the affected scripts until a patch is available. Restrict access to the vulnerable scripts to minimize the risk of exploitation. Avoid using the `phphtmllib` parameter in the affected API endpoints until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Outreach Project Tool (OPT) Max versions 1.2.6 and earlier **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in the `CRM inc` parameter. This can be achieved by manipulating the URL to include malicious PHP code, which can then be executed by the server. **Recommendations** For Outreach Project Tool (OPT) Max versions 1.2.6 and earlier, update to a version later than 1.2.6 to resolve the issue. As a temporary workaround, consider restricting access to the `include/urights.php` file to minimize the risk of exploitation. Avoid using the `CRM inc` parameter in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** dotProject versions 2.0.4 and earlier **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in the `baseDir` parameter in the classes/query.class.php file. **Recommendations** For dotProject versions 2.0.4 and earlier, consider restricting access to the vulnerable `classes/query.class.php` file until a patch is available. Avoid using the `baseDir` parameter in the affected API endpoint until the issue is resolved.