Abducter

Cross-site scripting (XSS) vulnerability in index.php for FlatNuke 2.5.6 allows remote attackers to inject arbitrary web script or HTML via the user parameter in a profile operation, a different vulnerability than CVE-2005-2814. NOTE: it is possible that this XSS is a resultant vulnerability of CVE-2005-3307.

**Name of the Vulnerable Software and Affected Versions** FlatNuke version 2.5.6 **Description** The issue allows remote attackers to read arbitrary files via ".." sequences in the `user` parameter in a profile operation or the `quale` parameter in a newtopic operation, specifically in the index.php file. **Recommendations** For FlatNuke version 2.5.6, consider restricting access to the index.php file until a patch is available, and avoid using the `user` parameter in profile operations and the `quale` parameter in newtopic operations to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** MyBB versions 1.00 Release Candidate 1 through 4 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `uid` parameter in the "search.php" file. **Recommendations** For MyBB versions 1.00 Release Candidate 1 through 4, avoid using the `uid` parameter in the "search.php" file until the issue is resolved.