Cross-site scripting (XSS) vulnerability in MT312 IMG-BBS allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to model.php with a timestamp before 20090521.