Murphy

**Name of the Vulnerable Software and Affected Versions** University Event Management System version 1.0 **Description** A critical issue affects the processing of the file /dodelete.php, where the manipulation of the `id` argument leads to SQL injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. **Recommendations** For University Event Management System version 1.0, as a temporary workaround, consider restricting access to the /dodelete.php file until a patch is available. Avoid using the `id` argument in the affected file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** MyBB versions prior to 1.8.24 **Description** The issue arises from improper input escaping in the custom MyCode for the visual editor, leading to a DOM-based XSS vulnerability. This can be exploited by directing a victim to a page with the visual editor active, such as a post or Private Message, where it operates on a maliciously crafted MyCode message. Exploitation scenarios include pages with pre-filled message content using GET/POST parameters or reply pages quoting previously saved malicious messages. **Recommendations** For versions prior to 1.8.24, upgrade to version 1.8.24 and ensure the version attribute in the `codebuttons` template is updated for non-default themes to serve the latest version of the patched `jscripts/bbcodes sceditor.js` file.