Vampire

**Name of the Vulnerable Software and Affected Versions** Bigace version 1.8.2 **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in specific parameters. This is achieved through the `GLOBALS[ BIGACE][DIR][admin]` parameter in files such as `system/command/admin.cmd.php`, `admin/include/upload form.php`, and `admin/include/item main.php`, and the `GLOBALS[ BIGACE][DIR][libs]` parameter in files like `system/command/admin.cmd.php` and `system/command/download.cmd.php`. **Recommendations** For Bigace version 1.8.2, consider restricting access to the `system/command/admin.cmd.php`, `admin/include/upload form.php`, `admin/include/item main.php`, and `system/command/download.cmd.php` files to minimize the risk of exploitation. Avoid using the `GLOBALS[ BIGACE][DIR][admin]` and `GLOBALS[ BIGACE][DIR][libs]` parameters in the affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** OneOrZero version 1.6.4.1 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `id` parameter in the "index.php" file. **Recommendations** For OneOrZero version 1.6.4.1, avoid using the `id` parameter in the "index.php" file until a fix is available. Consider restricting access to the "index.php" file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** OneOrZero version 1.6.4.1 **Description** A cross-site scripting issue allows remote attackers to inject arbitrary web script or HTML via the `id` parameter in the "index.php" file. **Recommendations** For OneOrZero version 1.6.4.1, avoid using the `id` parameter in the index.php file until a fix is available. As a temporary workaround, consider restricting access to the index.php file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Fotopholder version 1.8 **Description** A cross-site scripting (XSS) issue exists, allowing remote attackers to inject arbitrary web script or HTML. This is achieved via the `path` parameter in index.php. It is noted that this might be a result of a directory traversal vulnerability. **Recommendations** For Fotopholder version 1.8, avoid using the `path` parameter in the index.php file until a fix is available. As a temporary workaround, consider restricting access to the index.php file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Fotopholder version 1.8 **Description** A directory traversal issue exists, allowing remote attackers to read arbitrary directories or files by using a .. (dot dot) in the `path` parameter of the index.php file. **Recommendations** For Fotopholder version 1.8, consider restricting access to the index.php file until a patch is available, or apply configuration changes to prevent directory traversal attacks, such as validating and sanitizing the `path` parameter to prevent .. (dot dot) sequences.