OpenBB contains a flaw that may allow a remote attacker to upload arbitrary files that can be executed on other client systems. The issue is due to the software not validating file types or content for avatar uloads. By uploading a script file instead of an image, an attacker can then post to the board with the malicious avatar. Subsequent viewers of the post will then execute the script in the context of their system.
Currently, there are no known upgrades, patches, or workarounds available to correct this issue.