R0Xes

**Name of the Vulnerable Software and Affected Versions** w-Agora (aka Web-Agora) version 4.2.0 **Description** A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via a post with a BBCode tag. This is achieved by including a JavaScript event name followed by whitespace before the '=' character in the tag, which bypasses a restrictive regular expression intended to remove events like onmouseover. **Recommendations** For w-Agora (aka Web-Agora) version 4.2.0, consider disabling the use of BBCode tags until a patch is available to prevent the exploitation of this issue. Restrict access to posts that may contain malicious scripts to minimize the risk of XSS attacks.

**Name of the Vulnerable Software and Affected Versions** TextFileBB version 1.0.16 **Description** The issue allows remote attackers to inject arbitrary web script or HTML via Javascript events such as `onmouseover` in the (1) color, (2) size, or (3) url bbcode tags. This can lead to cross-site scripting (XSS) attacks. **Recommendations** For TextFileBB version 1.0.16, consider disabling the color, size, and url bbcode tags to prevent exploitation until a patch is available. Restrict access to these tags to minimize the risk of XSS attacks. Avoid using Javascript events such as `onmouseover` in these tags until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** RevoBoard version 1.8 **Description** A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via a substitution cipher of the email tag. This occurs when the application's e-mail address obfuscator reverses the transformation. The relationship between RevoBoard and PunBB might be relevant to this issue. **Recommendations** For RevoBoard version 1.8, consider disabling the e-mail address obfuscator feature until a patch is available to prevent exploitation of the XSS issue.

**Name of the Vulnerable Software and Affected Versions** PBLang version 4.65 **Description** A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via multiple fields in (1) "UCP.php" and (2) "SendPm.php". **Recommendations** For PBLang version 4.65, consider disabling access to the "UCP.php" and "SendPm.php" files until a patch is available to prevent exploitation of the XSS issue.