Thelastvvv

**Name of the Vulnerable Software and Affected Versions** SialWeb CMS (affected versions not specified) **Description** A critical issue was found in SialWeb CMS, affecting an unknown part of the file /about.php. The manipulation of the `Id` argument leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Soluzione Globale Ecommerce CMS version v1 **Description** The issue allows SQL injection to occur. This is related to the `offerta.php` parameter. **Recommendations** For Soluzione Globale Ecommerce CMS version v1, avoid using the `offerta.php` parameter until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Webexcels Ecommerce CMS versions 2.x, 2017, 2018, 2019, 2020 **Description** The issue concerns a cross-site scripting problem. It is related to the "search.php" `id` parameter. **Recommendations** For Webexcels Ecommerce CMS versions 2.x, 2017, 2018, 2019, 2020, consider restricting access to the 'search.php' endpoint until a fix is available, and avoid using the `id` parameter in this endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** DesignMasterEvents Conference management version 1.0.0 **Description** The issue allows SQL Injection via the `username` field on the administrator login page. **Recommendations** For DesignMasterEvents Conference management version 1.0.0, avoid using the `username` field in the administrator login page until the issue is resolved. As a temporary workaround, consider restricting access to the administrator login page to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** DesignMasterEvents Conference management version 1.0.0 **Description** The issue concerns a cross-site scripting problem. It is related to the 'certificate.php' file, which suggests that the vulnerability can be exploited through this specific component. **Recommendations** For DesignMasterEvents Conference management version 1.0.0, consider restricting access to the 'certificate.php' file as a temporary mitigation measure until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Create-Project Manager version 1.07 **Description** The issue concerns a lack of protection in the web page structure, allowing for potential exploitation. This can lead to a remote attacker conducting a cross-site scripting (XSS) attack. The vulnerability is present in multiple areas, including the online chat, social feed, message title tag, and when adding a new client, where all tags are vulnerable. **Recommendations** For Create-Project Manager version 1.07, consider disabling the online chat, social feed, and the functionality to add new clients until a patch is available to prevent XSS and HTML injection attacks. Restrict access to these features to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Webexcels Ecommerce CMS versions 2.x, 2017, 2018, 2019, 2020 **Description** The issue is related to a SQL Injection vulnerability via the `id` parameter in the `content.php` script. This vulnerability is due to a lack of protection measures for the SQL query structure. Exploitation of this issue can allow a remote attacker to conduct a cross-site scripting (XSS) attack. **Recommendations** For Webexcels Ecommerce CMS versions 2.x, 2017, 2018, 2019, 2020, consider disabling the `id` parameter in the `content.php` script as a temporary workaround until a patch is available. Restrict access to the `content.php` script to minimize the risk of exploitation. Avoid using the `id` parameter in the affected script until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** We-com Municipality portal CMS versions 2.1.x **Description** SQL injection can occur via the `cerca/` keywords field. This issue allows for potential data manipulation and unauthorized access. **Recommendations** For We-com Municipality portal CMS versions 2.1.x, consider restricting access to the `cerca/` keywords field until a patch is available. As a temporary workaround, avoid using the `cerca/` keywords field to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** We-com OpenData CMS version 2.0 **Description** The issue allows SQL Injection via the `username` field on the administrator login page. This could potentially lead to unauthorized access to sensitive data. **Recommendations** For We-com OpenData CMS version 2.0, consider restricting access to the administrator login page until a fix is available. As a temporary workaround, avoid using the `username` field in a way that could be exploited for SQL injection. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** We-com Municipality portal CMS versions 2.1.x **Description** The issue allows for XSS to occur via the cerca/search bar. **Recommendations** For We-com Municipality portal CMS versions 2.1.x, consider restricting access to the cerca/search bar until a fix is available. As a temporary workaround, avoid using the cerca/search bar in We-com Municipality portal CMS until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Vanguard plugin version 2.1 for WordPress **Description** An issue was discovered that allows XSS to occur via the `mails/new` title field, a product field to the "p/" URI, or the `Products Search` box. **Recommendations** For Vanguard plugin version 2.1, consider disabling the `mails/new` title field, restricting access to product fields, and limiting the use of the `Products Search` box until a fix is available. Avoid using the `p/` URI with untrusted input.