Thomas Waldegger

**Name of the Vulnerable Software and Affected Versions** Microsoft Internet Explorer versions 6 SP2 and earlier **Description** The issue allows remote attackers to cause a denial of service, resulting in a crash, via certain malformed HTML. This possibly involves applet and base tags without required arguments, triggering a null pointer dereference in mshtml.dll. **Recommendations** For Microsoft Internet Explorer versions 6 SP2 and earlier, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Amaya versions 8.x before 8.8.5 Amaya version 9.4 **Description** The issue allows remote attackers to execute arbitrary code via buffer overflows. This can be achieved by providing a long value in certain attributes, such as the `COMPACT` attribute of the `COLGROUP` element, the `ROWS` attribute of the `TEXTAREA` element, and the `COLOR` attribute of the `LEGEND` element. Other unspecified attack vectors are also possible. **Recommendations** For Amaya versions 8.x before 8.8.5, update to version 8.8.5 or later. For Amaya version 9.4, at the moment, there is no information about a newer version that contains a fix for this issue. As a temporary workaround, consider restricting the use of the `COLGROUP`, `TEXTAREA`, and `LEGEND` elements until a patch is available. Avoid using long values in the `COMPACT`, `ROWS`, and `COLOR` attributes of these elements to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Microsoft Internet Explorer versions 5.01 through 6 **Description** A remote code execution issue exists in the way Internet Explorer handles HTML elements with specially crafted tags, leading to memory corruption. This could allow an attacker to construct a malicious Web page that potentially enables remote code execution if a user visits the site. A successful exploitation could grant the attacker complete control of the affected system. **Recommendations** For Microsoft Internet Explorer versions 5.01 through 6, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** vBulletin versions 3.0.9 and earlier **Description** The issue allows remote attackers with access to the administrator panel to upload arbitrary files. This is made possible through the `image.php` file in the vulnerable software. **Recommendations** For versions 3.0.9 and earlier, consider restricting access to the administrator panel and the `image.php` file to minimize the risk of exploitation. As a temporary workaround, consider disabling the file upload functionality in the administrator panel until a fix is available.

**Name of the Vulnerable Software and Affected Versions** vBulletin versions 3.0.9 and earlier **Description** The issue allows remote attackers to inject arbitrary web script or HTML via certain arguments to various API endpoints, including "announcement.php", "admincalendar.php", "bbcode.php", "cronadmin.php", "email.php", "faq.php", "forum.php", "image.php", "language.php", "ranks.php", "replacement.php", "template.php", "usergroup.php", or "usertitle.php". **Recommendations** For vBulletin versions 3.0.9 and earlier, consider disabling access to the mentioned API endpoints until a patch is available. Restrict input to these endpoints to minimize the risk of exploitation. Avoid using user-supplied input in these endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** vBulletin versions 3.0.7 and earlier **Description** The issue allows remote attackers to execute arbitrary SQL commands. This can be achieved via various parameters in different PHP files, including `announcement` in "announcement.php", `thread[forumid]` and `criteria` in "thread.php", `userid` in "user.php", and several others in "admincalendar.php", "cronlog.php", "email.php", "help.php", "usertitle.php", "language.php", "phrase.php", "template.php", and "usertools.php". **Recommendations** For vBulletin versions 3.0.7 and earlier, consider disabling the SQL execution functionality until a patch is available. Restrict access to the vulnerable parameters, such as `announcement`, `thread[forumid]`, `criteria`, `userid`, `calendarcustomfieldid`, `calendarid`, `moderatorid`, `holidayid`, `calendarmoderatorid`, `calendar[0]`, `cronid`, `user[usergroupid][0]`, `help[0]`, `limitnumber`, `limitstart`, `usertitleid`, `ids`, `rvt[0]`, `keep[0]`, and `dostyleid`, to minimize the risk of exploitation. Avoid using these parameters in the affected API endpoints until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** vBulletin versions 3.0.7 and earlier **Description** The issue allows remote attackers to inject arbitrary web script or HTML, which can lead to cross-site scripting (XSS) attacks. This is possible via the `loc` parameter to "/modcp/index.php" or "/admincp/index.php", or the `ip` parameter to "/modcp/user.php" or "/admincp/usertitle.php". **Recommendations** For vBulletin versions 3.0.7 and earlier, update to a version later than 3.0.7 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** vBulletin versions 3.0.9 and earlier **Description** The issue allows remote attackers to execute arbitrary SQL commands. This can be achieved via various parameters, including the `announcement` parameter to "announcement.php", the `userid` parameter to "user.php", the `calendar` parameter to "admincalendar.php", the `cronid` parameter to "cronlog.php", the `usergroupid` parameter to "email.php", the `help` parameter to "help.php", the `rvt` parameter to "language.php", the `keep` parameter to "phrase.php", or the `updateprofilepic` parameter to "usertools.php". **Recommendations** For vBulletin versions 3.0.9 and earlier, update to a version later than 3.0.9 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** vBulletin versions prior to 3.0.9 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This can be achieved via several API endpoints, including "joinrequests.php" using the `request` parameter, "user.php" using the `limitnumber` or `limitstart` parameters, "usertitle.php", or "usertools.php". **Recommendations** For versions prior to 3.0.9, update to version 3.0.9 or later to resolve the issue. As a temporary workaround, consider restricting access to the mentioned API endpoints until the update is applied. Avoid using the `request`, `limitnumber`, and `limitstart` parameters in the affected endpoints until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** vBulletin versions prior to 3.0.9 **Description** The issue allows remote attackers to inject arbitrary web script or HTML via several parameters, including the `group` parameter to "css.php", `redirect` parameter to "index.php", `email` parameter to "user.php", `goto` parameter to "language.php", `orderby` parameter to "modlog.php", and the `hex`, `rgb`, or `expandset` parameter to "template.php". **Recommendations** For versions prior to 3.0.9, update to version 3.0.9 or later to resolve the issue. As a temporary workaround, consider restricting access to the affected API endpoints, such as "css.php", "index.php", "user.php", "language.php", "modlog.php", and "template.php", until a patch is available. Avoid using the vulnerable parameters, such as `group`, `redirect`, `email`, `goto`, `orderby`, `hex`, `rgb`, and `expandset`, in the affected API endpoints until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Wordpress versions 1.5 and earlier **Description** The issue allows remote attackers to obtain sensitive information via a direct request to files in (1) wp-content/themes/, (2) wp-includes/, or (3) wp-admin/, which reveal the path in an error message. **Recommendations** For Wordpress versions 1.5 and earlier, consider restricting access to the wp-content/themes/, wp-includes/, and wp-admin/ directories to minimize the risk of exploitation. As a temporary workaround, consider disabling direct requests to these directories until a fix is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Wordpress versions 1.5 and earlier **Description** A SQL injection issue allows remote attackers to execute arbitrary SQL commands via the `tb id` parameter in the wp-trackback.php file. **Recommendations** For Wordpress versions 1.5 and earlier, consider updating to a newer version to resolve the issue. As a temporary workaround, restrict access to the wp-trackback.php file to minimize the risk of exploitation. Avoid using the `tb id` parameter in the affected file until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Wordpress version 1.2 **Description** The issue allows remote attackers to inject arbitrary web script or HTML via various parameters to different PHP files. This includes the `redirect to`, `text`, `popupurl`, or `popuptitle` parameters to 'wp-login.php', the `redirect url` parameter to 'admin-header.php', the `popuptitle`, `popupurl`, `content`, or `post title` parameters to 'bookmarklet.php', the `cat ID` parameter to 'categories.php', the `s` parameter to 'edit.php', or the `s` or `mode` parameter to 'edit-comments.php'. **Recommendations** For Wordpress version 1.2, as a temporary workaround, consider restricting access to the parameters `redirect to`, `text`, `popupurl`, `popuptitle`, `redirect url`, `popuptitle`, `popupurl`, `content`, `post title`, `cat ID`, `s`, and `mode` in their respective PHP files until a patch is available. Avoid using these parameters in the affected API endpoints until the issue is resolved.