Snup

**Name of the Vulnerable Software and Affected Versions** DiY-CMS version 1.0 **Description** The issue allows remote attackers to inject arbitrary web script or HTML. This can be achieved via the `question` parameter to `/modules/poll/add.php` or the `question` or `answer` parameters to `/modules/poll/edit.php`. **Recommendations** For DiY-CMS version 1.0, avoid using the `question` parameter in the `/modules/poll/add.php` and `/modules/poll/edit.php` API endpoints, and the `answer` parameter in the `/modules/poll/edit.php` endpoint until a fix is available. Consider restricting access to these endpoints to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** DiY-CMS version 1.0 **Description** A cross-site request forgery issue exists, allowing remote attackers to hijack administrator authentication for requests that create a poll via an add action to the poll module. **Recommendations** For DiY-CMS version 1.0, consider implementing token-based validation to prevent cross-site request forgery attacks, and restrict access to the poll module's add action to authorized administrators only.

**Name of the Vulnerable Software and Affected Versions** DIY-CMS version 1.0 **Description** A SQL injection issue allows remote attackers to execute arbitrary SQL commands. This is achieved by manipulating the `start` parameter to `mod.php`. **Recommendations** For DIY-CMS version 1.0, consider restricting access to the `mod.php` module to minimize the risk of exploitation. Avoid using the `start` parameter in the affected module until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Snitz Forums 2000 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `TOPIC ID` parameter in the "forum.asp" endpoint. **Recommendations** For Snitz Forums 2000, consider restricting access to the `TOPIC ID` parameter in the "forum.asp" endpoint until a patch is available. As a temporary workaround, avoid using the `TOPIC ID` parameter in the affected endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Siche search module version 0.5 for Zeroboard **Description** The issue concerns SQL injection vulnerabilities in the ssearch.php file of the Siche search module. Remote attackers can execute arbitrary SQL commands by manipulating certain parameters. The vulnerable parameters include `ss`, `sm`, `align`, and `category`. **Recommendations** For Siche search module version 0.5, consider restricting access to the ssearch.php file until a patch is available, and avoid using the `ss`, `sm`, `align`, and `category` parameters in the affected API endpoint. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Siche search module version 0.5 for Zeroboard **Description** The issue is related to a cross-site scripting (XSS) vulnerability. This vulnerability allows remote attackers to inject arbitrary web script or HTML via the `search` parameter in the ssearch.php file. **Recommendations** For Siche search module version 0.5, consider restricting access to the ssearch.php file until a patch is available, or avoid using the `search` parameter in the affected module to minimize the risk of exploitation.