The avatar upload capability in Open Bulletin Board (OpenBB) 1.0.6 and earlier allows remote attackers to execute arbitrary script by uploading files that include scripting code such as Javascript.
https://exchange.xforce.ibmcloud.com/vulnerabilities/15971
http://www.securityfocus.com/bid/10218
http://securitytracker.com/id?1009935