Re: Bosdev Multiple vulnerabilities

[sales () bosdev com]

Actually, you've never emailed us.

HTML is stripped from posts, with the exception of admin allowed tags.  The username XSS issue is already being dealt 
with in the 6.1 release.

Install.php won't do anything, unless you know the username/password/db name for the system.  Admins are told to remove 
the file specifically for the reason listed above.

Next time you say you have emailed someone, you might actually try doing it.