Sroesemann

**Name of the Vulnerable Software and Affected Versions** Roundcube Webmail versions 1.1.x before 1.1.2 **Description** A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via the ` mbox` parameter to the default URI. This could potentially lead to unauthorized actions on the web application. **Recommendations** For Roundcube Webmail versions 1.1.x before 1.1.2, update to version 1.1.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the default URI or validating and sanitizing the ` mbox` parameter to prevent malicious input.

**Name of the Vulnerable Software and Affected Versions** MyBB versions prior to 1.8.4 **Description** The issue affects the administrative backend, allowing remote authenticated users to inject arbitrary web script or HTML. This can be achieved through various fields in different modules, including the MIME-type field in the config-attachment types module, title or short description fields in the config-mycode or user-groups modules, and others. The estimated number of potentially affected devices worldwide is not specified. There is no information about real-world incidents where this issue was exploited. **Recommendations** For versions prior to 1.8.4, update to version 1.8.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the administrative backend to minimize the risk of exploitation. Avoid using the vulnerable fields in the affected modules until the issue is resolved.