Addmimistrator

**Name of the Vulnerable Software and Affected Versions** MyBB version 1.1.7 **Description** A cross-site scripting (XSS) issue exists, allowing remote attackers to inject arbitrary web script or HTML via the query string (`$ SERVER[PHP SELF]`) in the admin/global.php file, also known as the Admin CP login form. **Recommendations** For MyBB version 1.1.7, as a temporary workaround, consider restricting access to the admin/global.php file until a patch is available. Avoid using the query string (`$ SERVER[PHP SELF]`) in the affected login form until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** MyBB versions 1.0 RC2 through 1.1.4 **Description** A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via a javascript URI with an SGML numeric character reference in the `url` BBCode tag. This can be demonstrated using "javascript". **Recommendations** For MyBB versions 1.0 RC2 through 1.1.4, consider disabling the `url` BBCode tag until a patch is available to prevent exploitation of this issue. Restrict access to the `inc/functions post.php` file to minimize the risk of exploitation. Avoid using SGML numeric character references in the `url` BBCode tag until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** MyBB version 1.1.1 **Description** The issue allows remote attackers to execute arbitrary SQL commands via the e-mail address when registering for a forum that requires e-mail verification. This is due to improper handling in usercp.php and member.php. **Recommendations** For MyBB version 1.1.1, as a temporary workaround, consider restricting access to the user registration process that requires e-mail verification until a proper fix is applied. Additionally, restrict input handling in usercp.php and member.php to minimize the risk of SQL injection.

**Name of the Vulnerable Software and Affected Versions** MyBB versions prior to 1.0.1 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved by manipulating the file extension of an uploaded file attachment in the inc/function upload.php file. **Recommendations** For versions prior to 1.0.1, update to version 1.0.1 or later to resolve the issue. As a temporary workaround, consider restricting file uploads or validating the file extensions to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** MyBB versions 1.0.1 and earlier **Description** The issue is related to a cross-site scripting (XSS) vulnerability. It allows remote attackers to inject arbitrary web script or HTML via a thread message in the print view of the thread, due to improper sanitization. **Recommendations** For MyBB versions 1.0.1 and earlier, update to a version later than 1.0.1 to resolve the issue.