Phplizardo

**Name of the Vulnerable Software and Affected Versions** PunBB versions 1.3 through 1.3.1 **Description** A cross-site scripting (XSS) issue exists, allowing remote attackers to inject arbitrary web script or HTML via the `password` field in the login.php file. **Recommendations** For PunBB versions 1.3 through 1.3.1, consider disabling the login functionality until a patch is available to prevent exploitation. Restrict access to the login.php file to minimize the risk of XSS attacks. Avoid using the `password` field in the login.php file until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** PunBB versions 1.3 through 1.3.1 **Description** The issue allows remote authenticated administrators to execute arbitrary SQL commands. This can be achieved via the `order by` or `direction` parameter to "admin/users.php", or through configuration options to "admin/settings.php". **Recommendations** For PunBB versions 1.3 through 1.3.1, consider restricting access to the admin/users.php and admin/settings.php pages until a fix is available. As a temporary workaround, avoid using the `order by` and `direction` parameters in the admin/users.php page, and limit modifications to configuration options in admin/settings.php.

**Name of the Vulnerable Software and Affected Versions** PunBB versions prior to 1.3.1 **Description** A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML. This is achieved via a topic subject in the moderate.php file. **Recommendations** For versions prior to 1.3.1, update to version 1.3.1 or later to resolve the issue.

Name of the Vulnerable Software and Affected Versions: ImperialBB versions 2.3.5 and earlier Description: The issue allows remote authenticated users to upload and execute arbitrary PHP code. This can be achieved by placing a .php filename in the `Upload Avatar` parameter and sending the image/gif content type. Recommendations: For ImperialBB versions 2.3.5 and earlier, consider restricting access to the `Upload Avatar` parameter to prevent uploading of malicious files until a patch is available. Additionally, validate the content type of uploaded files to prevent execution of arbitrary PHP code. At the moment, there is no information about a newer version that contains a fix for this vulnerability.