CVE-2011-3371

Name of the Vulnerable Software and Affected Versions PunBB versions prior to 1.3.6

Description The issue allows remote attackers to inject arbitrary web script or HTML via various parameters to different PHP files, including delete.php, edit.php, login.php, misc.php, profile.php, and register.php. The vulnerable parameters include id, form sent, csrf token, req confirm, delete, req message, submit, action, req email, request pass, email, redirect url, req subject, req old password, req new password1, req new password2, update, req username, req password1, req password2, req email1, timezone, and register.

Recommendations For PunBB versions prior to 1.3.6, update to version 1.3.6 or later to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable parameters until a patch is applied. Avoid using the vulnerable parameters in the affected API endpoints until the issue is resolved.