X128

**Name of the Vulnerable Software and Affected Versions** More.groupware version 0.74 **Description** A SQL injection issue allows remote attackers to execute arbitrary SQL commands. This is achieved by manipulating the `new calendarid` parameter in the `/modules/calendar/week.php` endpoint. **Recommendations** For More.groupware version 0.74, avoid using the `new calendarid` parameter in the `/modules/calendar/week.php` endpoint until the issue is resolved. As a temporary workaround, consider restricting access to this endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** deV!Lz Clanportal DZCP version 1.3.4 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `id` parameter in the "index.php" file. **Recommendations** For version 1.3.4, avoid using the `id` parameter in the index.php file until the issue is resolved. Consider restricting access to the index.php file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** FreeWPS version 2.11 **Description** The issue allows remote attackers to execute arbitrary PHP code. This can be achieved by uploading a .php file into the /upload directory as specified in the `dirPath` parameter, and then performing a direct request to that file. No information is available about the estimated number of potentially affected devices or real-world incidents. **Recommendations** For FreeWPS version 2.11, consider restricting access to the `images.php` file and the /upload directory to prevent arbitrary PHP code execution until a patch is available. Avoid using the `dirPath` parameter to specify upload directories that can be accessed directly.

**Name of the Vulnerable Software and Affected Versions** LanSuite LanParty Intranet System versions 2.0.6 through 2.1.0 beta **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `fid` parameter in the board module. **Recommendations** For LanSuite LanParty Intranet System versions 2.0.6 through 2.1.0 beta, avoid using the `fid` parameter in the board module until a fix is available. Consider restricting access to the board module to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** ilchClan versions 1.05g and earlier **Description** A SQL injection issue in the forum module allows remote attackers to execute arbitrary SQL commands via the `pid` parameter when creating a new post. **Recommendations** For ilchClan versions 1.05g and earlier, avoid using the `pid` parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** BXCP version 0.299 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `tid` parameter in the "index.php" file. **Recommendations** For BXCP version 0.299, consider restricting access to the `tid` parameter in the "index.php" file to minimize the risk of exploitation.