admin/index.php in AV Arcade 2.1b grants administrative privileges when the ava_userid cookie value is 1, which allows remote attackers to perform certain administrative actions.

SQL injection vulnerability in includes/view_page.php in AV Arcade 2.1b allows remote attackers to execute arbitrary SQL commands via the id parameter in a view_page action to index.php.

SQL injection vulnerability in index.php in the Arcade 1.00 module for PHP-Fusion allows remote attackers to execute arbitrary SQL commands via the cid parameter in a view_game_list action.

Cross-site scripting (XSS) vulnerability in index.php in phpMyDesktop|Arcade 1.0 allows remote attackers to inject arbitrary web script or HTML via the subsite parameter in the subsite todo.

Directory traversal vulnerability in index.php in PhpMyDesktop|arcade 1.0 FINAL allows remote attackers to read arbitrary files or execute PHP code via a .. (dot dot) sequence and trailing null (%00) byte in the subsite parameter in a showsubsite todo.

Multiple cross-site scripting (XSS) vulnerabilities in phpArcadeScript 2.0 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) the gamename parameter in tellafriend.php, (2) the login_status parameter in loginbox.php, (3) the submissionstatus parameter in index.php, the (4) cell_title_background_color and (5) browse_cat_name parameters in browse.php, the (6) gamefile parameter in displaygame.php, and (7) possibly other parameters in unspecified PHP scripts.

SQL injection vulnerability in the favorites module in index.php in IPBProArcade 2.5.2 allows remote attackers to inject arbitrary SQL commands via the gameid parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. In addition, the demonstration code as used by third parties suggests that this might be a different type of vulnerability related to shell metacharacters. Finally, this could be a rediscovery of CVE-2004-1430.

SQL injection vulnerability in index.php of the report module in ibProArcade 2.5.2 and earlier allows remote attackers to execute arbitrary SQL commands via the user parameter.

Directory traversal vulnerability in RealArcade 1.2.0.994 allows remote attackers to delete arbitrary files via an RGP file with a .. (dot dot) in the FILENAME tag.

SQL injection vulnerability in the show_stats module in Arcade.php in IbProArcade allows remote attackers to execute arbitrary SQL code via the gameid parameter.