Xy7

**Name of the Vulnerable Software and Affected Versions** SiteEngine versions 5.x **Description** The issue allows remote attackers to execute arbitrary SQL commands via the `id` parameter in the announcements.php file. **Recommendations** For SiteEngine versions 5.x, avoid using the `id` parameter in the announcements.php file until the issue is resolved. Consider restricting access to the announcements.php file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** SiteEngine versions 5.x **Description** The issue allows remote attackers to obtain system information. This is achieved by setting the `action` parameter to `php info` in the "misc.php" endpoint. **Recommendations** For SiteEngine versions 5.x, consider restricting access to the "misc.php" endpoint or disabling the phpinfo function to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** SiteEngine versions 5.x **Description** The issue allows user-assisted remote attackers to redirect users to arbitrary web sites and conduct phishing attacks. This is achieved via a URL in the `forward` parameter in a logout action in the `api.php` file. **Recommendations** For SiteEngine versions 5.x, consider restricting access to the `api.php` file or the logout action to minimize the risk of exploitation. As a temporary workaround, avoid using the `forward` parameter in the logout action until a patch is available.

**Name of the Vulnerable Software and Affected Versions** CYASK versions 3.x **Description** A directory traversal issue exists, allowing remote attackers to read arbitrary files by utilizing a .. (dot dot) in the `neturl` parameter of the collect.php file. **Recommendations** For CYASK version 3.x, consider restricting access to the collect.php file until a patch is available, or avoid using the `neturl` parameter with untrusted input to minimize the risk of exploitation.