Vxsfx

**Name of the Vulnerable Software and Affected Versions** CMS Made Simple versions 0.10 and earlier **Description** A remote file inclusion issue in the lang.php file allows remote attackers to execute arbitrary PHP code via the `nls[file][vx][vxsfx]` parameter. **Recommendations** For CMS Made Simple versions 0.10 and earlier, consider restricting access to the lang.php file and the `nls[file][vx][vxsfx]` parameter to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** PHPTB Topic Board versions 2.0 and earlier **Description** The issue allows remote attackers to execute arbitrary PHP code via the `absolutepath` parameter in multiple PHP files, including admin o.php, board o.php, dev o.php, file o.php, and tech o.php. **Recommendations** For PHPTB Topic Board versions 2.0 and earlier, as a temporary workaround, consider restricting access to the vulnerable PHP files until a patch is available. Avoid using the `absolutepath` parameter in the affected files to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** PHP mcNews version 1.3 **Description** A remote file inclusion issue exists, allowing remote attackers to execute arbitrary PHP code by modifying the `skinfile` parameter to reference a URL on a remote web server that contains the code. **Recommendations** For PHP mcNews version 1.3, consider restricting access to the `admin/header.php` file or validating the `skinfile` parameter to prevent remote file inclusion attacks. As a temporary workaround, avoid using the `skinfile` parameter in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Form Mail Script versions 2.3 and earlier **Description** A remote file inclusion issue allows attackers to execute arbitrary PHP code by modifying the `script root` to reference a URL on a remote web server that contains the code. **Recommendations** For Form Mail Script versions 2.3 and earlier, update to a version later than 2.3 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Download Center Lite version 1.6 **Description** The issue allows remote attackers to execute arbitrary PHP code by modifying the `script root` parameter to reference a URL on a remote web server that contains the code. This is achieved through a PHP remote file inclusion vulnerability in the download center lite.inc.php file. **Recommendations** For Download Center Lite version 1.6, consider restricting access to the `download center lite.inc.php` file to minimize the risk of exploitation. Avoid using the `script root` parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.