The ChangeLog for phpBB 2.0.11 states:
Changes since 2.0.10
- Fixed vulnerability in highlighting code (very
high severity, please update your installation as soon
as possible)
- Fixed unsetting global vars - Matt
Kavanagh
- Fixed XSS vulnerability in username handling
- AnthraX101
- Fixed not confirmed sql injection in username handling
- warmth
- Added check for empty topic id in topic_review
function
- Added visual confirmation mod to code base
Additionally, a US-CERT Technical Cyber Security Alert reports:
phpBB contains an user input validation problem with
regard to the parsing of the URL. An intruder can deface a
phpBB website, execute arbitrary commands, or gain
administrative privileges on a compromised bulletin
board.