lostBook < 1.1 - Cross-Site Scripting via Email or Website Fields
Cross-site scripting (XSS) vulnerability in lostBook 1.1 and earlier allows remote attackers to inject arbitrary web script via the (1) Email or (2) Website fields.
Fusion News 3.6.1 - Cross-Site Request Forgery via BBCode Image Tag
Fusion News 3.6.1 allows remote attackers to add user accounts, if the administrator is logged in, via a comment that contains an img bbcode tag that calls index.php with the signup action, which is executed when the administrator's browser loads the page with the img tag.