CVE-2018-18670

Name of the Vulnerable Software and Affected Versions GNUBOARD5 version 5.3.1.9

Description The issue allows remote attackers to inject arbitrary web script or HTML via the Extra Contents parameter, also known as the cf 1~10 parameter in the adm/config form update.php file. This enables attackers to execute malicious scripts on the victim's browser.

Recommendations For GNUBOARD5 version 5.3.1.9, consider disabling the cf 1~10 parameter in the adm/config form update.php file as a temporary workaround to prevent exploitation. Restrict access to the adm/config form update.php file to minimize the risk of arbitrary web script or HTML injection. Avoid using the Extra Contents parameter until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this issue.