Zen

**Name of the Vulnerable Software and Affected Versions** Fretwell-Downing Informatics (FDI) OLIB7 WebView version 2.5.1.1 **Description** The issue allows remote authenticated users to obtain sensitive information from files via the `infile` parameter to the default URI under `cgi/`. This is demonstrated by accessing the `get settings.ini`, `setup.ini`, and `text.ini` files. **Recommendations** For Fretwell-Downing Informatics (FDI) OLIB7 WebView version 2.5.1.1, consider restricting access to the `cgi/` directory or limiting the use of the `infile` parameter to prevent unauthorized access to sensitive files.

**Name of the Vulnerable Software and Affected Versions** Post Affiliate Pro version 2.0 **Description** The issue allows remote authenticated users to potentially read and execute arbitrary local files due to a directory traversal vulnerability. This is achieved by using a .. (dot dot) in the `md` parameter of the index.php file. **Recommendations** For Post Affiliate Pro version 2.0, consider restricting access to the index.php file until a patch is available, and avoid using the `md` parameter with untrusted input to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Moodle versions 1.6.x through 1.6.6 Moodle versions 1.7.x through 1.7.4 **Description** A cross-site scripting issue allows remote attackers to inject arbitrary web script or HTML via the `etitle` parameter, which is the blog entry title. **Recommendations** For Moodle versions 1.6.x through 1.6.6, update to version 1.6.7 or later. For Moodle versions 1.7.x through 1.7.4, update to version 1.7.5 or later.

**Name of the Vulnerable Software and Affected Versions** CVS management/tracker versions 4.7.x-1.0 through 4.7.x-2.0 CVS management/tracker version 4.7.0 **Description** The issue allows remote attackers to inject arbitrary web script or HTML via the `motivation` field in the CVS application page. This occurs because the field is not passed through `check markup` on display, enabling cross-site scripting (XSS). **Recommendations** For versions 4.7.x-1.0 through 4.7.x-2.0, update to a version that includes the 20060807 contribution release system. For version 4.7.0, update to a version that includes the 20060807 contribution release system. As a temporary workaround, consider restricting access to the CVS application page to minimize the risk of exploitation.