phpbb -- arbitrary command execution and other vulnerabilities

The ChangeLog for phpBB 2.0.11 states:

Changes since 2.0.10

Fixed vulnerability in highlighting code (very
high severity, please update your installation as soon
as possible)
Fixed unsetting global vars - Matt
Kavanagh
Fixed XSS vulnerability in username handling
- AnthraX101
Fixed not confirmed sql injection in username handling
- warmth
Added check for empty topic id in topic_review
function
Added visual confirmation mod to code base

Additionally, a US-CERT Technical Cyber Security Alert reports:

phpBB contains an user input validation problem with
regard to the parsing of the URL. An intruder can deface a
phpBB website, execute arbitrary commands, or gain
administrative privileges on a compromised bulletin
board.