Simon Bonnard

**Name of the Vulnerable Software and Affected Versions** SQLiteManager version 1.2.0 **Description** The issue allows remote attackers to inject arbitrary web script or HTML via certain fields, including the `database name`, `table name`, `ViewName`, `view`, `trigger`, and `function` fields in `main.php` and other files. This can lead to cross-site scripting (XSS) attacks. **Recommendations** For SQLiteManager version 1.2.0, consider restricting access to the vulnerable fields until a patch is available. As a temporary workaround, avoid using the `database name`, `table name`, `ViewName`, `view`, `trigger`, and `function` fields in `main.php` and other files to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Phpwebgallery version 1.4.1 **Description** The issue allows remote attackers to inject arbitrary web script or HTML via several fields, including the `login` or `mail address` field in "Register.php", or the `search author`, `mode`, `start year`, `end year`, or `date type` field in "Search.php". **Recommendations** For Phpwebgallery version 1.4.1, avoid using the vulnerable fields in Register.php and Search.php until a patch is available. As a temporary workaround, consider restricting access to the Register.php and Search.php files to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** ActiveCalendar version 1.2.0 **Description** A directory traversal issue exists, allowing remote attackers to read arbitrary files. This is achieved by using a .. (dot dot) in the `page` parameter of the /data/showcode.php endpoint. **Recommendations** For ActiveCalendar version 1.2.0, consider restricting access to the /data/showcode.php endpoint until a patch is available. As a temporary workaround, avoid using the `page` parameter in the affected endpoint to minimize the risk of exploitation.