Sirdarckcat

**Name of the Vulnerable Software and Affected Versions** Mozilla Firefox versions prior to 3.6 Beta 3 **Description** The issue arises from improper handling of overlong UTF-8 encoding, making it easier for remote attackers to bypass cross-site scripting (XSS) protection mechanisms via a crafted string. **Recommendations** For versions prior to 3.6 Beta 3, update to version 3.6 Beta 3 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Apple Safari versions prior to 5.0 on Mac OS X 10.5 through 10.6 and Windows Apple Safari versions prior to 4.1 on Mac OS X 10.4 **Description** A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via vectors involving HTML document fragments. **Recommendations** For Apple Safari versions prior to 5.0 on Mac OS X 10.5 through 10.6 and Windows, update to version 5.0 or later. For Apple Safari versions prior to 4.1 on Mac OS X 10.4, update to version 4.1 or later.

**Name of the Vulnerable Software and Affected Versions** Microsoft Internet Explorer 8 **Description** The issue allows remote attackers to conduct cross-site scripting (XSS) attacks against web sites that have no inherent XSS vulnerabilities. This is related to the details of output encoding and improper modification of an HTML attribute. The vulnerability could allow initially disabled scripts to run in the wrong security context, leading to information disclosure. **Recommendations** For Microsoft Internet Explorer 8, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** PHPIDS versions prior to 20070703 **Description** The issue arises from improper handling of arithmetic expressions and unclosed comments, allowing remote attackers to inject arbitrary web script. **Recommendations** For PHPIDS versions prior to 20070703, update to a version released after 20070703 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** PHPIDS version prior to 20070703 **Description** The issue arises from improper handling of certain expressions and methods, including the substr method in document.location.search and document.referrer, specific use of document.location.hash, certain "window[eval" and similar expressions, Function expressions, '=' expressions, and "with" expressions. This allows remote attackers to inject arbitrary web script. **Recommendations** For PHPIDS version prior to 20070703, update to version 20070703 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** php-Revista version 1.1.2 **Description** The issue concerns multiple cross-site scripting (XSS) vulnerabilities. These vulnerabilities allow remote attackers to inject arbitrary web script or HTML. Specifically, the `cadena` parameter in "busqueda.php" and the `email` parameter in "lista.php" are vulnerable to such injections. **Recommendations** For php-Revista version 1.1.2, as a temporary workaround, consider restricting access to the "busqueda.php" and "lista.php" scripts until a patch is available. Avoid using the `cadena` parameter in "busqueda.php" and the `email` parameter in "lista.php" to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** php-Revista version 1.1.2 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This can be achieved via several parameters in different PHP files, including the `id temas` parameter in "busqueda tema.php", the `cadena` parameter in "busqueda.php", the `id autor` parameter in "autor.php", the `email` parameter in "lista.php", and the `id articulo` parameter in "articulo.php". **Recommendations** For php-Revista version 1.1.2, consider validating and sanitizing user input for the `id temas`, `cadena`, `id autor`, `email`, and `id articulo` parameters to prevent SQL injection attacks. As a temporary workaround, restrict access to the affected PHP files until a patch is available.

**Name of the Vulnerable Software and Affected Versions** ssLinks version 1.22 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `go` parameter and the `id` parameter in a rate action. **Recommendations** For ssLinks version 1.22, consider restricting access to the links.php file to minimize the risk of exploitation. As a temporary workaround, avoid using the `go` and `id` parameters in the rate action until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Autentificator version 2.01 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `user` parameter in the aut verifica.inc.php file. **Recommendations** For Autentificator version 2.01, consider restricting access to the aut verifica.inc.php file or validating and sanitizing the `user` parameter to prevent SQL injection attacks.

**Name of the Vulnerable Software and Affected Versions** php-Revista version 1.1.2 **Description** The issue allows remote attackers to execute arbitrary PHP code via the `adodb` parameter in the index.php file. **Recommendations** For php-Revista version 1.1.2, update the index.php file to properly validate and sanitize the `adodb` parameter to prevent remote file inclusion and arbitrary PHP code execution. As a temporary workaround, consider restricting access to the index.php file until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Longino Jacome php-Revista version 1.1.2 **Description** The issue allows remote attackers to bypass authentication controls. This is achieved by setting the `ID ADMIN` and `SUPER ADMIN` parameters to 1, effectively allowing unauthorized access. **Recommendations** For Longino Jacome php-Revista version 1.1.2, as a temporary workaround, consider restricting access to the admin/index.php endpoint until a patch is available. Avoid using the parameters `ID ADMIN` and `SUPER ADMIN` in the affected endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SQLiteWebAdmin versions 0.1 and earlier **Description** A remote file inclusion issue exists, allowing remote attackers to execute arbitrary PHP code via a URL in the `conf[classpath]` parameter in the tpl.inc.php file. **Recommendations** For SQLiteWebAdmin versions 0.1 and earlier, as a temporary workaround, consider restricting access to the `conf[classpath]` parameter to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Banex PHP MySQL Banner Exchange version 2.21 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This can be achieved via the `site name` parameter to the "signup.php" endpoint, and the `id`, `deleteuserbanner`, `viewmem`, `viewmemunb`, `viewunmem`, or `deleteuser` parameters to the "admin.php" endpoint. **Recommendations** For Banex PHP MySQL Banner Exchange version 2.21, consider restricting access to the "signup.php" and "admin.php" endpoints until a fix is available. As a temporary workaround, avoid using the `site name`, `id`, `deleteuserbanner`, `viewmem`, `viewmemunb`, `viewunmem`, and `deleteuser` parameters in the affected endpoints to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Banex PHP MySQL Banner Exchange version 2.21 **Description** The issue allows remote attackers to obtain sensitive information, such as database usernames and passwords, due to insufficient access control of the lib.inc file stored under the web document root. **Recommendations** For Banex PHP MySQL Banner Exchange version 2.21, consider restricting access to the lib.inc file to prevent remote attackers from obtaining sensitive information. As a temporary workaround, move the lib.inc file outside of the web document root or apply appropriate access controls to limit exposure.

**Name of the Vulnerable Software and Affected Versions** Banex PHP MySQL Banner Exchange version 2.21 **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in the `cfg root` parameter in the members.php file. **Recommendations** For Banex PHP MySQL Banner Exchange version 2.21, consider restricting access to the `members.php` file or the `cfg root` parameter to minimize the risk of exploitation until a patch is available.