Description
MyBB before 1.8.28 allows stored XSS because the displayed Template Name value in the Admin CP's theme management is not escaped properly.
Remediation
References
Related Vulnerabilities
Drupal Core 4.7.x Multiple Cross-Site Scripting Vulnerabilities (4.7.0 - 4.7.3)
WordPress Plugin Compact WP Audio Player Cross-Site Scripting (1.9.7)
Serendipity Other Vulnerability (CVE-2015-6968)
WordPress Plugin OnePress Social Locker Multiple Unspecified Vulnerabilities (4.2.5)
MySQL NULL Pointer Dereference Vulnerability (CVE-2020-1967)