Mike,
here are the gory details..
Warning techno babble to follow...
"YaBBSE Index.PHP Cross-Site Scripting Vulnerability
A cross-site scripting vulnerability affects YaBBSE because the application fails to properly sanitize user-supplied input before including it in dynamically generated web content.
An attacker may leverage this issue to have arbitrary script code execute in the browser of an unsuspecting user. This may help the attacker steal cookie-based authentication credentials and launch other attacks."
"yabb-multiple-sql-injection (15354) The risk level is classified as MediumMedium Risk
Description:
YaBB (Yet Another Bulletin Board) is an open-source bulletin board system that runs on any system capable of executing Perl CGI scripts. YaBB SE versions 1.5.4, 1.5.5, 1.5.5b and possibly earlier versions are vulnerable to SQL injection, caused by a vulnerability in the ModifyMessage module and in the ModifyMessage2 module. A remote attacker could insert arbitrary SQL code in the $msg variable in a request to the index.php script of the ModifyMessage module, in the $postid variable in a request to the index.php script of the ModifyMessage2 module, or in the $attachOld variable in a request to the index.php script of the ModifyMessage2 module, which would allow the attacker obtain sensitive information, including the user's MD5 password hash and secret question, allowing the attacker to add, modify or delete data in the backend database."
"yabb-post-sql-injection (15224) The risk level is classified as MediumMedium Risk
Description:
YaBB (Yet Another Bulletin Board) is an open-source bulletin board system that runs on any system capable of executing Perl CGI scripts. YaBB SE versions 1.5.4 and 1.5.5 and possibly other versions are vulnerable to SQL injection using the post.php script. A remote attacker, with a valid account, could pass malicious SQL commands to the post.php script using the quote parameter, which would allow the attacker to obtain the encrypted password of another user."
Readers digest version...
Basically it can steal stuff from your computer via your web browser, wipe out the database on the server or steal someone else's password to just for starters.