Nathan Malcolm

**Name of the Vulnerable Software and Affected Versions** MyBB versions prior to 1.6.7 **Description** The issue allows remote administrators to execute arbitrary SQL commands via unspecified vectors in the user search or Mail Log in the Admin Control Panel (ACP). **Recommendations** For versions prior to 1.6.7, update to version 1.6.7 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** MyBB versions prior to 1.6.7 **Description** A cross-site scripting (XSS) issue exists in the Admin Control Panel (ACP) of MyBB, allowing remote administrators to inject arbitrary web script or HTML via a malformed file name in an orphaned attachment. **Recommendations** For versions prior to 1.6.7, update to version 1.6.7 or later to resolve the issue. As a temporary workaround, consider restricting access to the Admin Control Panel (ACP) to minimize the risk of exploitation. Avoid using malformed file names in orphaned attachments until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** MyBB versions prior to 1.6.7 **Description** The issue allows remote attackers to obtain sensitive information via a malformed `forumread` cookie. This reveals the installation path in an error message. **Recommendations** For versions prior to 1.6.7, update to version 1.6.7 or later to resolve the issue.