Sweet-Devil

**Name of the Vulnerable Software and Affected Versions** Alwasel version 1.5 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `id` parameter to API endpoints such as "show.php" and "xml.php". **Recommendations** For Alwasel version 1.5, avoid using the `id` parameter in the affected API endpoints until the issue is resolved. As a temporary workaround, consider restricting access to the "show.php" and "xml.php" endpoints to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** AR Web Content Manager (AWCM) version 2.1 **Description** A directory traversal issue exists due to the lack of proper input validation in the `a.php` file. When `magic quotes gpc` is disabled, remote attackers can exploit this by including a `..` (dot dot) sequence in the `a` parameter to include and execute arbitrary local files. **Recommendations** For AR Web Content Manager (AWCM) version 2.1, consider disabling the `a.php` file or restricting access to it until a proper fix is available. Additionally, enabling `magic quotes gpc` may help mitigate this issue, but it is recommended to apply a proper patch or update when available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** AR Web Content Manager (AWCM) version 2.1 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `username` parameter in the "control/login.php" file when magic quotes gpc is disabled. **Recommendations** For AR Web Content Manager (AWCM) version 2.1, consider disabling the magic quotes gpc option or restricting access to the control/login.php file until a patch is available. Avoid using the `username` parameter in the affected file to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: SaphpLesson version 4.0 Description: The issue is related to a SQL injection vulnerability. It occurs when the `magic quotes gpc` setting is disabled, allowing remote attackers to execute arbitrary SQL commands via the `cp username` parameter. This is due to an error in the `CleanVar` function located in `includes/functions.php`. Recommendations: For SaphpLesson version 4.0, consider disabling the `CleanVar` function in `includes/functions.php` until a patch is available, or ensure that the `magic quotes gpc` setting is enabled to prevent SQL injection attacks. Additionally, restrict access to the `admin/login.php` page to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Mobilelib GOLD version 3 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This can be achieved via the `adminName` parameter to "cp/auth.php", the `cid` parameter to "artcat.php", and the `catid` parameter to "show.php". **Recommendations** For Mobilelib GOLD version 3, consider restricting access to the vulnerable API endpoints "cp/auth.php", "artcat.php", and "show.php" to minimize the risk of exploitation. Avoid using the parameters `adminName`, `cid`, and `catid` in the affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** DotWidget For Articles (dotwidgeta) version 0.2 **Description** The issue allows remote attackers to execute arbitrary code via specific parameters in various PHP files. This is achieved by providing a URL in the `file path` parameter to files such as "index.php", "showcatpicks.php", and "showarticle.php". Additionally, attackers can exploit the `admin header file` and `admin footer file` parameters in files like "admin/authors.php", "admin/index.php", "admin/categories.php", "admin/editconfig.php", and "admin/articles.php". **Recommendations** For DotWidget For Articles (dotwidgeta) version 0.2, consider disabling the `file path`, `admin header file`, and `admin footer file` parameters in the affected PHP files until a patch is available. Restrict access to the vulnerable PHP files to minimize the risk of exploitation. Avoid using the `file path`, `admin header file`, and `admin footer file` parameters in the affected API endpoints until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** ac4p Mobile (affected versions not specified) **Description** The issue concerns multiple cross-site scripting (XSS) vulnerabilities. These vulnerabilities allow remote attackers to inject arbitrary web script or HTML. The injection can occur via the `Taaa` parameter to the "/up.php" API endpoint, or the `pollhtml` and `Bloks` parameters to the "/polls.php" API endpoint. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** PMOS Help Desk versions 2.4 InverseFlow Help Desk version 2.31 Ace Helpdesk version 2.31 **Description** The issue allows remote attackers to inject arbitrary web script or HTML, which can lead to cross-site scripting (XSS) attacks. This is possible via the `id` or `email` parameter to "ticketview.php", or the `email` parameter to "ticket.php". **Recommendations** For PMOS Help Desk version 2.4, update to a version that fixes the XSS vulnerabilities. For InverseFlow Help Desk version 2.31, update to a version that fixes the XSS vulnerabilities. For Ace Helpdesk version 2.31, update to a version that fixes the XSS vulnerabilities.

**Name of the Vulnerable Software and Affected Versions** mcGuestbook versions 1.2 through 1.3 **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in the `lang` parameter to API endpoints such as "admin.php", "ecrire.php", and "lire.php". It is noted that the issue might be limited to a race condition during installation or an improper installation, since a completed installation creates an include file that prevents external control of the `lang` variable. **Recommendations** For mcGuestbook versions 1.2 through 1.3, consider disabling access to the "admin.php", "ecrire.php", and "lire.php" API endpoints until a proper fix is applied, and ensure proper installation to prevent external control of the `lang` variable.

**Name of the Vulnerable Software and Affected Versions** Xtreme Scripts Download Manager version 1.0 **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in the `root` parameter in several PHP files, including "download.php", "manager.php", "admin/scripts/category.php", "includes/add allow.php", "admin/index.php", and "admin/admin/login.php". **Recommendations** For Xtreme Scripts Download Manager version 1.0, consider disabling the `root` parameter in the affected PHP files until a patch is available. Restrict access to the vulnerable PHP files to minimize the risk of exploitation. Avoid using the `root` parameter in the affected API endpoints until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** saphplesson version 2.0 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This can be achieved via the `forumid` parameter in "add.php" and the `lessid` parameter in "show.php". **Recommendations** For version 2.0, consider restricting access to the `add.php` and `show.php` scripts until a patch is available. As a temporary workaround, avoid using the `forumid` and `lessid` parameters in the affected API endpoints.

**Name of the Vulnerable Software and Affected Versions** coolphp magazine (affected versions not specified) **Description** The issue concerns multiple cross-site scripting (XSS) vulnerabilities in the index.php file of coolphp magazine. These vulnerabilities allow remote attackers to inject arbitrary web script or HTML via several parameters, including `op`, `nick`, and possibly `0000`, `userinfo`, `comp der`, `encuestas`, and `pagina`. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Chipmunk guestbook (affected versions not specified) **Description** A cross-site scripting (XSS) issue exists, allowing remote attackers to inject arbitrary web script or HTML. This can be achieved via the `start` parameter in `index.php`, the `forumID` parameter in `index.php`, `newtopic.php`, and `reply.php`, and the `ID` parameter in `edit.php`. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.