X0R_1

**Name of the Vulnerable Software and Affected Versions** Fusion News version 1.0 **Description** A directory traversal issue exists in the sources/post.php file of Fusion News. This issue allows remote attackers to include arbitrary files via a .. (dot dot) sequence in the `fil config` parameter when register globals is enabled. This can be used to execute PHP code that has been injected into a log file. **Recommendations** For Fusion News version 1.0, consider disabling the register globals setting to mitigate the risk of exploitation. Additionally, restrict access to the sources/post.php file and its associated parameters, such as `fil config`, to minimize the risk of arbitrary file inclusion. Avoid using the `fil config` parameter in the affected post.php file until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** myPHP Guestbook versions 2.0.4 and earlier **Description** A cross-site scripting issue allows remote attackers to inject arbitrary web script or HTML via the `lang` parameter in the "index.php" file. **Recommendations** For myPHP Guestbook versions 2.0.4 and earlier, consider restricting access to the `lang` parameter in the "index.php" file until a patch is available. As a temporary workaround, avoid using the `lang` parameter in the affected endpoint. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** phpCommunityCalendar version 4.0.3 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved through SQL injection vulnerabilities in various parameters, including the `CalendarDetailsID` parameter in "month.php", "day.php", and "delCalendar.php"; the `ID` parameter in "event.php"; the `AdminUserID` parameter in "delAdmin.php"; the `EventLocationID` parameter in "delAddress.php"; and the `LocationID` parameter in "delCategory.php". **Recommendations** For phpCommunityCalendar version 4.0.3, consider disabling the affected parameters, such as `CalendarDetailsID`, `ID`, `AdminUserID`, `EventLocationID`, and `LocationID`, in their respective scripts until a patch is available. Restrict access to the vulnerable scripts, including "month.php", "day.php", "delCalendar.php", "event.php", "delAdmin.php", "delAddress.php", and "delCategory.php", to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** phpCommunityCalendar version 4.0.3 **Description** The issue allows remote attackers to inject arbitrary web script or HTML, which can lead to cross-site scripting (XSS) attacks. This is possible via the `LoName` parameter in "week.php" and "month.php" and the `AddressLink` parameter in "event.php". **Recommendations** For phpCommunityCalendar version 4.0.3, consider restricting access to the `week.php`, `month.php`, and `event.php` scripts until a patch is available. As a temporary workaround, avoid using the `LoName` and `AddressLink` parameters in the affected API endpoints.