[原文]Cross-site request forgery (CSRF) vulnerabilities in (1) cp_forums.php, (2) cp_usergroup.php, (3) cp_ipbans.php, (4) myhome.php, (5) post.php, or (6) moderator.php in Open Bulletin Board (OpenBB) 1.0.6 and earlier allow remote attackers to execute arbitrary code by including the code in an image tag or a link.
Loss of Confidentiality,
Loss of Integrity,
Loss of Availability
OpenBB contains a flaw that allows remote attackers to execute arbitrary OpenBB commands. The issue is due to the bulletin board not properly utilizing session IDs or authentication tokens. If an attacker supplies a malicious command embedded in an image tag which is posted or sent as a private message, the command will be executed without confirmation by the administrator.
Currently, there are no known upgrades, patches, or workarounds available to correct this issue.