SQL injection vulnerability in index.php in the ibProArcade module for Invision Power Board (IPB) 1.x and 2.x allows remote attackers to execute arbitrary SQL commands via the cat parameter.

Directory traversal vulnerability in GSAPAK.EXE for GameSpy Arcade, possibly versions before 1.3e, allows remote attackers to overwrite arbitrary files and execute arbitrary code via .. (dot dot) sequences in filenames in a .APK (Zip) file.