Virusman

**Name of the Vulnerable Software and Affected Versions** Crawlability vBSEO plugin version 3.1.0 for vBulletin **Description** The issue allows remote attackers to include and execute arbitrary local files via directory traversal sequences in the `vbseourl` parameter. This is a result of a directory traversal vulnerability in the vbseo.php file. **Recommendations** For Crawlability vBSEO plugin version 3.1.0, consider restricting access to the vbseo.php file until a patch is available. As a temporary workaround, avoid using the `vbseourl` parameter in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** E-membres version 1.0 **Description** The issue allows remote attackers to download a database due to insufficient access control of sensitive information stored under the web root. This can be achieved by making a direct request for the database file. **Recommendations** For E-membres version 1.0, consider restricting access to the database file `db/bdEMembres.mdb` to prevent unauthorized downloads until a proper fix is applied. As a temporary workaround, moving sensitive information outside of the web root or implementing proper access controls can help mitigate the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Visialis ABB Forum version 1.1 **Description** The issue allows remote attackers to download a database due to insufficient access control. Sensitive information is stored under the web root, enabling attackers to access it via a direct request for "fpdb/abb.mdb". **Recommendations** For Visialis ABB Forum version 1.1, restrict access to the fpdb/abb.mdb file to prevent unauthorized downloads. Consider implementing proper access controls to sensitive information stored under the web root.

**Name of the Vulnerable Software and Affected Versions** fipsForum version 2.6 **Description** The issue allows remote attackers to download a database via a direct request for ` database/forumFips.mdb` due to insufficient access control. This is because sensitive information is stored under the web root. **Recommendations** For version 2.6, restrict access to the ` database/forumFips.mdb` file to prevent unauthorized downloads. Consider relocating sensitive information outside of the web root or implementing proper access controls to mitigate the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Employee Timeclock Software version 0.99 **Description** A cross-site request forgery (CSRF) issue exists in the add user.php file, allowing remote attackers to hijack the authentication of an administrator for requests that create new administrative users. **Recommendations** For Employee Timeclock Software version 0.99, consider implementing CSRF protection mechanisms, such as tokens, to prevent unauthorized requests. As a temporary workaround, restrict access to the add user.php file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** ZeusCMS version 0.2 **Description** The issue allows remote attackers to obtain sensitive information due to insufficient access control. Sensitive information is stored under the web root, making it accessible via a direct request for admin/backup.sql. **Recommendations** For ZeusCMS version 0.2, consider restricting access to the admin/backup.sql file to prevent unauthorized access until a proper fix is applied. As a temporary workaround, moving sensitive files outside of the web root or implementing proper access controls can help mitigate the risk.

**Name of the Vulnerable Software and Affected Versions** ZeusCMS version 0.2 **Description** A directory traversal issue in index.php allows remote attackers to include and execute arbitrary local files by using directory traversal sequences in the `page` parameter. **Recommendations** For ZeusCMS version 0.2, consider restricting access to the `page` parameter in the index.php file to prevent directory traversal attacks until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Joomla! component DhForum (com dhforum) (affected versions not specified) **Description** A SQL injection issue allows remote attackers to execute arbitrary SQL commands. This is achieved by manipulating the `id` parameter in a `grouplist` action to `index.php`. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.