S3Rv3R_Hack3R

**Name of the Vulnerable Software and Affected Versions** DZOIC Handshakes version 3.5 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `fname` parameter in a "members search" action, specifically targeting the index.php file. **Recommendations** For DZOIC Handshakes version 3.5, consider restricting access to the `fname` parameter in the "members search" action until a patch is available. As a temporary workaround, avoid using the `fname` parameter in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** DynaTracker version 151 **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in the `base path` parameter in the includes handler.php file. **Recommendations** For DynaTracker version 151, consider restricting access to the includes handler.php file or the `base path` parameter to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** IDevSpot BizDirectory (affected versions not specified) **Description** The issue concerns multiple cross-site scripting (XSS) vulnerabilities. These vulnerabilities allow remote attackers to inject arbitrary web script or HTML. Specifically, the vulnerabilities can be exploited via the `stylesheet` parameter in "Feed.php" or the `message` parameter in "status.php". **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** iDevSpot NixieAffiliate versions 1.9 and earlier **Description** A cross-site scripting issue exists, allowing remote attackers to inject arbitrary web script or HTML. This is achieved via the `error` parameter in the forms/lostpassword.php file. **Recommendations** For versions 1.9 and earlier, update to a version later than 1.9 to resolve the issue. As a temporary workaround, consider restricting access to the forms/lostpassword.php file to minimize the risk of exploitation. Avoid using the `error` parameter in the affected file until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** IDevSpot NexieAffiliate versions 1.9 and earlier **Description** The issue allows remote attackers to delete arbitrary affiliates. This is achieved by modifying the `id` parameter in the "delete.php" endpoint. **Recommendations** For versions 1.9 and earlier, restrict access to the "delete.php" endpoint to prevent unauthorized affiliate deletion. As a temporary workaround, consider validating and sanitizing the `id` parameter to ensure only authorized modifications can be made.

**Name of the Vulnerable Software and Affected Versions** IDevSpot PhpLinkExchange version 1.0 **Description** The issue allows remote attackers to execute arbitrary code via the `svr rootPhpStart` parameter in the bits listings.php file. This enables the execution of malicious code, potentially leading to system compromise. **Recommendations** For IDevSpot PhpLinkExchange version 1.0, consider restricting access to the bits listings.php file to minimize the risk of exploitation. As a temporary workaround, avoid using the `svr rootPhpStart` parameter until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** IDevSpot PhpLinkExchange version 1.0 **Description** A cross-site scripting (XSS) issue exists, allowing remote attackers to inject arbitrary web script or HTML. This is achieved via the `msg` parameter in the user add.php file. **Recommendations** For IDevSpot PhpLinkExchange version 1.0, consider restricting access to the user add.php file or avoiding the use of the `msg` parameter until a fix is available. As a temporary workaround, disabling the execution of scripts from this parameter can help mitigate the risk.

**Name of the Vulnerable Software and Affected Versions** IdevSpot TextAds (affected versions not specified) **Description** The issue concerns multiple cross-site scripting (XSS) vulnerabilities. These vulnerabilities allow remote attackers to inject arbitrary web script or HTML via specific parameters in certain PHP files. Specifically, the `id` parameter in "delete.php" and the `error` parameter in "error.php" are vulnerable. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** threesquared.net (aka Ben Speakman) Php download (affected versions not specified) **Description** The issue concerns a directory traversal vulnerability. This vulnerability allows remote attackers to overwrite arbitrary local files by using .. (dot dot) sequences in the `file` parameter of the download/index.php and possibly download.php scripts. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** JS ASP Faq Manager version 1.10 **Description** A SQL injection issue exists in the administrator control panel, allowing remote attackers to execute arbitrary SQL commands. This is achieved by manipulating the `pwd` parameter, also known as the Password field. **Recommendations** For JS ASP Faq Manager version 1.10, avoid using the `pwd` parameter in the administrator control panel until a fix is available. Consider restricting access to the control panel to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.