CVE-2014-3827

Name of the Vulnerable Software and Affected Versions MyBB versions prior to 1.8.4

Description The issue allows remote authenticated users to inject arbitrary web script or HTML. This can be achieved via the title parameter in the edit or add action in the user-users module, the finduser action, or the name parameter in an edit action in the user-user module, or the editprofile action to modcp.php.

Recommendations For versions prior to 1.8.4, update to version 1.8.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the user-users module and modcp.php to minimize the risk of exploitation. Avoid using the title and name parameters in the affected actions until the issue is resolved.