Shikaa

**Name of the Vulnerable Software and Affected Versions** pForum versions 1.29a and earlier **Description** A SQL injection issue allows remote attackers to execute arbitrary SQL commands via the `id` parameter in the "editpoll.php" file. **Recommendations** For versions 1.29a and earlier, update to a version later than 1.29a to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** PHP MatchMaker versions 4.05 and earlier **Description** A SQL injection issue allows remote attackers to execute arbitrary SQL commands. This is achieved by manipulating the `edit` parameter in the matchdetail.php file. **Recommendations** For PHP MatchMaker versions 4.05 and earlier, consider restricting access to the matchdetail.php file until a patch is available. As a temporary workaround, avoid using the `edit` parameter in the matchdetail.php file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** DigitalHive version 2.0 RC2 **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in the `page` parameter in the template/purpletech/base include.php file. **Recommendations** For DigitalHive version 2.0 RC2, consider restricting access to the template/purpletech/base include.php file to minimize the risk of exploitation. Avoid using the `page` parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Def-Blog versions 1.0.1 and earlier **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `article` parameter in the comadd.php file. **Recommendations** For Def-Blog versions 1.0.1 and earlier, update to a version later than 1.0.1 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Minerva Build versions prior to 239 **Description** A remote file inclusion issue allows attackers to execute arbitrary PHP code via a URL in the `phpbb root path` parameter. This can be exploited by providing a malicious URL, potentially leading to code execution on the server. **Recommendations** For Minerva Build versions prior to 239, update to a version later than 238 to resolve the issue. As a temporary workaround, consider restricting access to the `admin/admin topic action logging.php` file to minimize the risk of exploitation. Avoid using the `phpbb root path` parameter in the affected file until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** evoBB versions 0.3 and earlier **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in the `path` parameter in (1) "track.php" or (2) "connect.php" API endpoints. **Recommendations** For evoBB versions 0.3 and earlier, update to a version later than 0.3 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** faceStones Personal versions 2.0.42 and earlier **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in the `GLOBALS[fsinit][objpath]` parameter in the fsl2/objects/fs form links.php file. **Recommendations** For faceStones Personal versions 2.0.42 and earlier, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** BrudaNews versions 1.1 and earlier BrudaGB versions 1.1 and earlier **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in the `o` parameter in the admin/index.php file. **Recommendations** For BrudaNews versions 1.1 and earlier, consider restricting access to the admin/index.php file until a patch is available. For BrudaGB versions 1.1 and earlier, avoid using the `o` parameter in the admin/index.php file until the issue is resolved. As a temporary workaround, consider disabling the execution of remote files in the admin/index.php file for both BrudaNews and BrudaGB until a patch is available.

**Name of the Vulnerable Software and Affected Versions** PBLang (PBL) versions 4.66z and earlier **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in the `temppath` parameter. This is a result of a PHP remote file inclusion vulnerability in the templates/pb/language/lang nl.php file. **Recommendations** For PBLang (PBL) versions 4.66z and earlier, consider restricting access to the `temppath` parameter to minimize the risk of exploitation. Avoid using the `temppath` parameter in the affected template until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** guanxiCRM versions 0.9.1 and earlier **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in the `appconf[rootpath]` parameter. This is a result of a PHP remote file inclusion vulnerability in the include/phpxd/phpXD.php file. **Recommendations** For guanxiCRM versions 0.9.1 and earlier, as a temporary workaround, consider restricting access to the `include/phpxd/phpXD.php` file until a patch is available. Avoid using the `appconf[rootpath]` parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** UNAK-CMS versions 1.5 and earlier **Description** The issue allows remote attackers to execute arbitrary PHP code. This can be achieved by providing a URL in the `dirroot` parameter to specific API endpoints, such as "/fckeditor/editor/filemanager/browser/default/connectors/php/connector.php" or "/fckeditor/editor/dialog/fck link.php". **Recommendations** For UNAK-CMS versions 1.5 and earlier, consider disabling access to the `fckeditor/editor/filemanager/browser/default/connectors/php/connector.php` and `fckeditor/editor/dialog/fck link.php` endpoints until a patch is available. Avoid using the `dirroot` parameter in these endpoints to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Telekorn SignKorn Guestbook (SL) versions 1.3 and earlier **Description** The issue allows remote attackers to execute arbitrary PHP code when register globals is enabled and the ` SESSION[permission]` parameter is set to "yes". This can be achieved via a URL in the `dir path` parameter. **Recommendations** For Telekorn SignKorn Guestbook (SL) versions 1.3 and earlier, consider disabling the register globals setting and restricting access to the `includes/log.inc.php` file until a patch is available. As a temporary workaround, avoid using the `dir path` parameter in URLs and restrict the ` SESSION[permission]` parameter to prevent it from being set to "yes" by unauthorized users.

**Name of the Vulnerable Software and Affected Versions** p4CMS version 1.05 **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in the `abs pfad` parameter in the abf js.php file. **Recommendations** For p4CMS version 1.05, consider restricting access to the abf js.php file or the `abs pfad` parameter to minimize the risk of exploitation until a patch is available.

**Name of the Vulnerable Software and Affected Versions** phpFullAnnu versions 5.1 and earlier **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in the `repmod` parameter in the modules/home.module.php file. **Recommendations** For phpFullAnnu versions 5.1 and earlier, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** C-News versions 1.0.1 and earlier **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in the `path` parameter in the `affichage/commentaires.php` file. **Recommendations** For versions 1.0.1 and earlier, update to a version that fixes this issue to prevent remote attackers from executing arbitrary PHP code.

**Name of the Vulnerable Software and Affected Versions** MySpeach versions 3.0.2 and earlier **Description** The issue allows remote attackers to execute arbitrary PHP code when register globals is enabled. This is achieved via a URL in the `my ms[root]` parameter. **Recommendations** For MySpeach versions 3.0.2 and earlier, consider disabling the register globals setting to prevent exploitation. Additionally, restrict access to the jscript.php file until a patch is available. Avoid using the `my ms[root]` parameter in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** ACGV News versions 0.9.1 and earlier **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in the `PathNews` parameter in the article.php file. **Recommendations** For ACGV News versions 0.9.1 and earlier, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Sponge News versions 2.2 and earlier **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in the `sndir` parameter in the news.php file. **Recommendations** For Sponge News versions 2.2 and earlier, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** BinGo News (BP News) versions 3.01 and earlier **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in the `bnrep` parameter. This can be achieved by manipulating the `bnrep` parameter in the API endpoint. **Recommendations** For BinGo News (BP News) versions 3.01 and earlier, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** DynCMS versions 6 and earlier **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in the `x admindir` parameter in the 0 admin/modules/Wochenkarte/frontend/index.php file. **Recommendations** For DynCMS versions 6 and earlier, consider restricting access to the `0 admin/modules/Wochenkarte/frontend/index.php` file until a patch is available. Avoid using the `x admindir` parameter in the affected file to minimize the risk of exploitation.