The_3Dit0R

**Name of the Vulnerable Software and Affected Versions** RMForum (affected versions not specified) **Description** The issue allows remote attackers to download a database via a direct request for rmforum.mdb, as sensitive information is stored under the web root with insufficient access control. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** phpwebnews versions 0.2 and earlier **Description** The issue allows remote attackers to inject arbitrary web script or HTML via the `m txt` parameter to specific API endpoints, including "iklan.php", "index.php", and "bukutamu.php". This can lead to cross-site scripting (XSS) attacks. **Recommendations** For phpwebnews versions 0.2 and earlier, as a temporary workaround, consider restricting access to the `m txt` parameter in the affected API endpoints until a patch is available. Avoid using the `m txt` parameter in the "iklan.php", "index.php", and "bukutamu.php" endpoints to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** my little weblog (affected versions not specified) **Description** The issue is related to a cross-site scripting (XSS) vulnerability. It allows remote attackers to inject arbitrary web script or HTML via the `id` parameter in the weblog.php file. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** OpenConcept Back-End CMS version 0.4.7 **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in the `includes path` parameter to various PHP files, including "click.php" and "pollcollector.php" in the htdocs directory, and multiple files in the htdocs/site-admin directory, such as "index.php", "articlepages.php", and "upload.php". **Recommendations** For OpenConcept Back-End CMS version 0.4.7, consider restricting access to the `includes path` parameter in the affected PHP files until a patch is available. As a temporary workaround, define the `$includes path` variable before use to prevent remote file inclusion attacks.

**Name of the Vulnerable Software and Affected Versions** Sam Crew MyBlog (affected versions not specified) **Description** A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via the `id` parameter in the admin/modify.php file. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** built2go News Manager Blog version 1.0 **Description** The issue allows remote attackers to inject arbitrary web script or HTML. This can be achieved via the `cid`, `uid`, and `nid` parameters to "news.php", and the `nid` parameter to "rating.php". **Recommendations** For built2go News Manager Blog version 1.0, consider restricting access to the "news.php" and "rating.php" endpoints until a fix is available. As a temporary workaround, avoid using the `cid`, `uid`, and `nid` parameters in the affected API endpoints.

**Name of the Vulnerable Software and Affected Versions** PHPOLL version 0.96 **Description** The issue allows remote attackers to inject arbitrary web script or HTML, potentially leading to cross-site scripting (XSS) attacks. This can be achieved by manipulating the `language` parameter in various PHP files, including index.php, info.php, votanti.php, risultati config.php, modifica band.php, band editor.php, and config editor.php, particularly those located in the admin directory. API endpoints such as "index.php" and "info.php" are affected. **Recommendations** For PHPOLL version 0.96, consider disabling the vulnerable parameters, such as the `language` parameter, in the affected PHP files until a patch is available. Restrict access to the admin directory to minimize the risk of exploitation. Avoid using the `language` parameter in the affected API endpoints until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** dicshunary version 0.1 alpha **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in the `dicshunary root path` parameter in the check status.php file. **Recommendations** For dicshunary version 0.1 alpha, consider restricting access to the check status.php file until a patch is available, and avoid using the `dicshunary root path` parameter in this file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Wabbit PHP Gallery version 0.9 **Description** A directory traversal issue exists, allowing remote attackers to read arbitrary files. This is achieved by including a .. (dot dot) in the `dir` parameter to the "index.php" endpoint. **Recommendations** For Wabbit PHP Gallery version 0.9, consider restricting access to the `dir` parameter in the "index.php" endpoint to prevent directory traversal attacks. As a temporary workaround, restrict access to sensitive files and directories until a patch is available.

**Name of the Vulnerable Software and Affected Versions** BirdBlog version 1.4.0 **Description** The issue allows remote attackers to inject arbitrary web script or HTML, which can lead to cross-site scripting (XSS) attacks. This is achieved through various parameters in different API endpoints, such as the `msg` parameter to "admin/admincore.php", the `month` parameter to "admin/comments.php" or "admin/entries.php", and the `page` parameter to "admin/logs.php". **Recommendations** For BirdBlog version 1.4.0, consider restricting access to the vulnerable API endpoints, specifically "admin/admincore.php", "admin/comments.php", "admin/entries.php", and "admin/logs.php", to minimize the risk of exploitation. Avoid using the `msg`, `month`, and `page` parameters in these endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** enomphp version 4.0 **Description** The issue allows remote attackers to read arbitrary files due to multiple directory traversal vulnerabilities. This is achieved by including a .. (dot dot) in the `dir` parameter to various PHP files, including "config.php", "ranklv inside.php", "rankml inside.php", and "admin/Restore/config.php". **Recommendations** For enomphp version 4.0, consider restricting access to the `dir` parameter in the affected PHP files to minimize the risk of exploitation. As a temporary workaround, restrict access to the vulnerable PHP files until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** LoudMouth version 2.4 **Description** The issue allows remote attackers to execute arbitrary PHP code. This can be achieved by providing a URL in the `mainframe` parameter to specific API endpoints, such as "admin.loudmouth.php" or "toolbar.loudmouth.php". **Recommendations** For LoudMouth version 2.4, consider restricting access to the `admin.loudmouth.php` and `toolbar.loudmouth.php` endpoints until a patch is available. As a temporary workaround, avoid using the `mainframe` parameter in these endpoints to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Simple PHP Blog (SPHPBlog) versions prior to 0.4.9 **Description** The issue allows remote attackers to inject arbitrary web script or HTML via specific parameters in certain PHP files. This can be achieved through the `action` parameter in "add block.php" or the `entry` parameter in "index.php". **Recommendations** For Simple PHP Blog (SPHPBlog) versions prior to 0.4.9, update to version 0.4.9 or later to resolve the issue. As a temporary workaround, consider restricting access to the "add block.php" and "index.php" files to minimize the risk of exploitation. Avoid using the `action` and `entry` parameters in the affected API endpoints until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Simple PHP Blog (SPHPBlog) version 0.4.8 **Description** The issue allows remote attackers to read arbitrary files and possibly include arbitrary PHP code via a .. (dot dot) sequence in the `blog theme` parameter in various PHP files, including "index.php", "add cgi.php", "add link.php", "login.php", "template.php", or "contact.php". **Recommendations** For Simple PHP Blog (SPHPBlog) version 0.4.8, consider restricting access to the `blog theme` parameter in the affected PHP files until a patch is available. As a temporary workaround, avoid using the `blog theme` parameter with a .. (dot dot) sequence in the "index.php", "add cgi.php", "add link.php", "login.php", "template.php", or "contact.php" files.

**Name of the Vulnerable Software and Affected Versions** Blog Torrent Preview version 0.92 **Description** A cross-site scripting issue allows remote attackers to inject arbitrary web script or HTML. This is achieved via the `left` parameter in the "announce.php" file. **Recommendations** For Blog Torrent Preview version 0.92, consider restricting access to the announce.php file until a patch is available. As a temporary workaround, avoid using the `left` parameter in the affected endpoint.