Atofighi

**Name of the Vulnerable Software and Affected Versions** MyBB versions prior to 1.8.4 **Description** The issue allows remote authenticated users to inject arbitrary web script or HTML. This can be achieved via the `title` parameter in the edit or add action in the user-users module, the finduser action, or the `name` parameter in an edit action in the user-user module, or the editprofile action to modcp.php. **Recommendations** For versions prior to 1.8.4, update to version 1.8.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the user-users module and modcp.php to minimize the risk of exploitation. Avoid using the `title` and `name` parameters in the affected actions until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** MyBB versions prior to 1.8.4 **Description** The cache handler in MyBB does not properly check the encoding of input to the `var export` function, allowing attackers to have an unspecified impact via unknown vectors. **Recommendations** For versions prior to 1.8.4, update to version 1.8.4 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** MyBB versions prior to 1.8.4 **Description** A cross-site request forgery (CSRF) issue exists in the Admin Control Panel (ACP) login, allowing remote attackers to hijack the authentication of victims. **Recommendations** For versions prior to 1.8.4, update to version 1.8.4 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** MyBB versions prior to 1.8.4 **Description** A JSON library in MyBB allows remote attackers to obtain the installation path via unknown vectors. **Recommendations** For versions prior to 1.8.4, update to version 1.8.4 or later to resolve the issue.