C R A C K E R

**Name of the Vulnerable Software and Affected Versions** CyBoards PHP Lite version 1.21 **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in the `script path` parameter to various PHP files, including (1) "flat read.php", (2) "post.php", (3) "process post.php", (4) "process search.php", (5) "forum.php", (6) "process subscribe.php", (7) "read.php", (8) "search.php", (9) "subscribe.php" in the path/, and (10) "add ban.php", (11) "add ban form.php", (12) "add board.php", (13) "add vip.php", (14) "add vip form.php", (15) "copy ban.php", (16) "copy vip.php", (17) "delete ban.php", (18) "delete board.php", (19) "delete messages.php", (20) "delete vip.php", (21) "edit ban.php", (22) "edit board.php", (23) "edit vip.php", (24) "index.php", (25) "lock messages.php", (26) "login.php", (27) "modify ban list.php", (28) "modify vip list.php", (29) "move messages.php", (30) "process add board.php", (31) "process ban.php", (32) "process delete ban.php", (33) "process delete board.php", (34) "process delete messages.php", (35) "process delete vip.php", (36) "process edit board.php", (37) "process lock messages.php", (38) "process login.php", (39) "process move messages.php", (40) "process sticky messages.php", (41) "process vip.php", and (42) "sticky messages.php" in the path/adminopts. **Recommendations** As a temporary workaround, consider disabling the `script path` parameter in the affected PHP files until a patch is available. Restrict access to the vulnerable PHP files to minimize the risk of exploitation. Avoid using the `script path` parameter in the affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** CyBoards PHP Lite version 1.21 **Description** The issue allows remote attackers to inject arbitrary web script or HTML via specific parameters. The vulnerable parameters include `lOptionsOptions`, `lNavAdminOptions`, and `lNavReturn` in options.php, as well as `lNavReturn` in subscribe.php. **Recommendations** For CyBoards PHP Lite version 1.21, consider restricting access to the options.php and subscribe.php files until a patch is available. As a temporary workaround, avoid using the `lOptionsOptions`, `lNavAdminOptions`, and `lNavReturn` parameters in the affected API endpoints.

**Name of the Vulnerable Software and Affected Versions** CyBoards PHP Lite version 1.21 **Description** The issue allows remote attackers to include and execute arbitrary local files via directory traversal sequences. This can be achieved by manipulating the `script path` parameter to "options.php" and the `lang code` parameter to "copy vip.php" and "process edit board.php" in the "adminopts/" directory. **Recommendations** For CyBoards PHP Lite version 1.21, consider restricting access to the "options.php", "copy vip.php", and "process edit board.php" files in the "adminopts/" directory to minimize the risk of exploitation. Avoid using the `script path` and `lang code` parameters in the affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.