Vulnerabilites related to mybb - mybb
Vulnerability from fkie_nvd
Published
2015-03-18 14:59
Modified
2025-04-12 10:46
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in member.php in MyBB (aka MyBulletinBoard) before 1.8.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:mybb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AEC41207-93E4-416F-9670-6AC626CF0700",
"versionEndIncluding": "1.8.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in member.php in MyBB (aka MyBulletinBoard) before 1.8.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors."
},
{
"lang": "es",
"value": "Vulnerabilidad de XSS en member.php en MyBB (tambi\u00e9n conocido como MyBulletinBoard) anterior a 1.8.4 permite a atacantes remotos inyectar secuencias de comandos web arbitrarios o HTML a trav\u00e9s de vectores no especificados."
}
],
"id": "CVE-2015-2332",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2015-03-18T14:59:01.903",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://blog.mybb.com/2015/02/15/mybb-1-8-4-released-feature-update-security-maintenance-release/"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/73212"
},
{
"source": "cve@mitre.org",
"url": "http://www.securitytracker.com/id/1031953"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://blog.mybb.com/2015/02/15/mybb-1-8-4-released-feature-update-security-maintenance-release/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/73212"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securitytracker.com/id/1031953"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-01-31 22:59
Modified
2025-04-20 01:37
Severity ?
Summary
newreply.php in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 allows remote attackers to have unspecified impact by leveraging a missing permission check.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://www.openwall.com/lists/oss-security/2016/11/10/8 | Mailing List, Patch, Third Party Advisory | |
| cve@mitre.org | http://www.openwall.com/lists/oss-security/2016/11/18/1 | Mailing List, Patch, Third Party Advisory | |
| cve@mitre.org | http://www.securityfocus.com/bid/94395 | Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://blog.mybb.com/2016/03/11/mybb-1-8-7-merge-system-1-8-7-release/ | Patch, Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2016/11/10/8 | Mailing List, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2016/11/18/1 | Mailing List, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/94395 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://blog.mybb.com/2016/03/11/mybb-1-8-7-merge-system-1-8-7-release/ | Patch, Release Notes, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mybb | merge_system | * | |
| mybb | mybb | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:merge_system:*:*:*:*:*:*:*:*",
"matchCriteriaId": "716986AC-5E6D-4DDD-A553-B88981BDE788",
"versionEndIncluding": "1.8.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2212E819-C064-4963-BCD2-214F09A46902",
"versionEndIncluding": "1.8.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "newreply.php in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 allows remote attackers to have unspecified impact by leveraging a missing permission check."
},
{
"lang": "es",
"value": "newreply.php en MyBB (tambi\u00e9n conocido como MyBulletinBoard) en versiones anteriores a 1.8.7 y MyBB Merge System en versiones anteriores a 1.8.7 permite a atacantes remotos tener un impacto no especificado al aprovechar una comprobaci\u00f3n de permiso perdida."
}
],
"id": "CVE-2016-9403",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": true,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-01-31T22:59:01.063",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/10/8"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/18/1"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/94395"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Release Notes",
"Vendor Advisory"
],
"url": "https://blog.mybb.com/2016/03/11/mybb-1-8-7-merge-system-1-8-7-release/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/10/8"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/18/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/94395"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Release Notes",
"Vendor Advisory"
],
"url": "https://blog.mybb.com/2016/03/11/mybb-1-8-7-merge-system-1-8-7-release/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-264"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-01-02 15:15
Modified
2024-11-21 04:38
Severity ?
Summary
MyBB before 1.8.22 allows an open redirect on login.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://blog.mybb.com/2019/12/30/mybb-1-8-22-released-security-maintenance-release/ | Release Notes, Vendor Advisory | |
| cve@mitre.org | https://mybb.com/versions/1.8.22/ | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://blog.mybb.com/2019/12/30/mybb-1-8-22-released-security-maintenance-release/ | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mybb.com/versions/1.8.22/ | Release Notes, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:mybb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7B03E0B1-4D3E-48F1-BE5B-BCF4A338CC34",
"versionEndExcluding": "1.8.22",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "MyBB before 1.8.22 allows an open redirect on login."
},
{
"lang": "es",
"value": "MyBB versiones anteriores a la versi\u00f3n 1.8.22, permite un redireccionamiento abierto sobre el inicio de sesi\u00f3n."
}
],
"id": "CVE-2019-20225",
"lastModified": "2024-11-21T04:38:14.847",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-01-02T15:15:12.583",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://blog.mybb.com/2019/12/30/mybb-1-8-22-released-security-maintenance-release/"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://mybb.com/versions/1.8.22/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://blog.mybb.com/2019/12/30/mybb-1-8-22-released-security-maintenance-release/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://mybb.com/versions/1.8.22/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-601"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-11-06 22:15
Modified
2024-11-21 08:26
Severity ?
Summary
Cross Site Scripting vulnerability in Mybb Mybb Forums v.1.8.33 allows a local attacker to execute arbitrary code via the theme Name parameter in the theme management component.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:mybb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EC8DBC6D-0D47-46D6-A840-36BF42F37437",
"versionEndExcluding": "1.8.37",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross Site Scripting vulnerability in Mybb Mybb Forums v.1.8.33 allows a local attacker to execute arbitrary code via the theme Name parameter in the theme management component."
},
{
"lang": "es",
"value": "Vulnerabilidad de Cross-Site Scripting (XSS) en Mybb Mybb Forums v.1.8.33 permite a un atacante local ejecutar c\u00f3digo arbitrario a trav\u00e9s del par\u00e1metro Nombre del tema en el componente de administraci\u00f3n de temas."
}
],
"id": "CVE-2023-45556",
"lastModified": "2024-11-21T08:26:57.797",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-11-06T22:15:07.990",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "https://github.com/Or4ngm4n/Mybb/blob/main/MyBB%201.8.33%20Cross%20Site%20Scripting.txt"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/mybb/mybb/security/advisories/GHSA-4xqm-3cm2-5xgf"
},
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "https://raw.githubusercontent.com/Or4ngm4n/Mybb/main/Screenshot%202023-10-08%20012112.png"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "https://github.com/Or4ngm4n/Mybb/blob/main/MyBB%201.8.33%20Cross%20Site%20Scripting.txt"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/mybb/mybb/security/advisories/GHSA-4xqm-3cm2-5xgf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://raw.githubusercontent.com/Or4ngm4n/Mybb/main/Screenshot%202023-10-08%20012112.png"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2012-08-13 18:55
Modified
2025-04-11 00:51
Severity ?
Summary
Multiple SQL injection vulnerabilities in MyBB (aka MyBulletinBoard) before 1.6.7 allow remote administrators to execute arbitrary SQL commands via unspecified vectors in the (1) user search or (2) Mail Log in the Admin Control Panel (ACP).
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mybb | mybb | * | |
| mybb | mybb | 1.00 | |
| mybb | mybb | 1.0 | |
| mybb | mybb | 1.0 | |
| mybb | mybb | 1.0 | |
| mybb | mybb | 1.0 | |
| mybb | mybb | 1.0 | |
| mybb | mybb | 1.0 | |
| mybb | mybb | 1.0 | |
| mybb | mybb | 1.01 | |
| mybb | mybb | 1.1.0 | |
| mybb | mybb | 1.1.1 | |
| mybb | mybb | 1.1.2 | |
| mybb | mybb | 1.1.3 | |
| mybb | mybb | 1.1.4 | |
| mybb | mybb | 1.1.5 | |
| mybb | mybb | 1.1.6 | |
| mybb | mybb | 1.1.7 | |
| mybb | mybb | 1.1.8 | |
| mybb | mybb | 1.02 | |
| mybb | mybb | 1.2.0 | |
| mybb | mybb | 1.2.1 | |
| mybb | mybb | 1.2.2 | |
| mybb | mybb | 1.2.3 | |
| mybb | mybb | 1.2.4 | |
| mybb | mybb | 1.2.5 | |
| mybb | mybb | 1.2.6 | |
| mybb | mybb | 1.2.7 | |
| mybb | mybb | 1.2.8 | |
| mybb | mybb | 1.2.9 | |
| mybb | mybb | 1.2.10 | |
| mybb | mybb | 1.2.11 | |
| mybb | mybb | 1.2.12 | |
| mybb | mybb | 1.2.13 | |
| mybb | mybb | 1.2.14 | |
| mybb | mybb | 1.03 | |
| mybb | mybb | 1.3 | |
| mybb | mybb | 1.04 | |
| mybb | mybb | 1.4.0 | |
| mybb | mybb | 1.4.1 | |
| mybb | mybb | 1.4.2 | |
| mybb | mybb | 1.4.3 | |
| mybb | mybb | 1.4.4 | |
| mybb | mybb | 1.4.5 | |
| mybb | mybb | 1.4.6 | |
| mybb | mybb | 1.4.7 | |
| mybb | mybb | 1.4.8 | |
| mybb | mybb | 1.4.9 | |
| mybb | mybb | 1.4.10 | |
| mybb | mybb | 1.4.11 | |
| mybb | mybb | 1.4.12 | |
| mybb | mybb | 1.4.13 | |
| mybb | mybb | 1.4.14 | |
| mybb | mybb | 1.4.15 | |
| mybb | mybb | 1.4.16 | |
| mybb | mybb | 1.5.1 | |
| mybb | mybb | 1.5.2 | |
| mybb | mybb | 1.6.1 | |
| mybb | mybb | 1.6.2 | |
| mybb | mybb | 1.6.3 | |
| mybb | mybb | 1.6.4 | |
| mybb | mybb | 1.6.5 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:mybb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "ACDC3261-4AA6-48DD-AF97-EF346DBC3FDD",
"versionEndIncluding": "1.6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.00:*:*:*:*:*:*:*",
"matchCriteriaId": "BD61D970-9363-4A75-A8DB-D0EBA2CF0D53",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.0:beta4:*:*:*:*:*:*",
"matchCriteriaId": "C14F8B95-1A33-4DA8-8DE4-35C7DC3590CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.0:pr1:*:*:*:*:*:*",
"matchCriteriaId": "CD7728CD-1FA0-4428-B3FC-883781A699CD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.0:pr2:*:*:*:*:*:*",
"matchCriteriaId": "0883675F-9442-49E7-8471-C205B7EA201D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "B85E419B-F9D3-4839-A15C-F22BF9DABFAC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "EAB8B860-71DC-4F45-9E2A-74BD1C2ED893",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "C67749DF-F8AF-4C88-A120-0F48307C58E1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.0:rc4:*:*:*:*:*:*",
"matchCriteriaId": "FD0820A0-5D85-446F-9B7E-F8DB258A1178",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.01:*:*:*:*:*:*:*",
"matchCriteriaId": "990E206E-5E2C-4A68-9FDF-CD47F7524054",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "CF143B59-5C78-4BF6-9368-5BCF427B4753",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "B16F6F07-F5A9-47BF-88ED-25F068B68CF6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "A8A46A48-1361-4DD3-B97D-4C4FC776D68A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "337D89AE-1B7A-4101-B1F7-DFEDF2369385",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "BE08AF25-EDB1-4DA1-B431-F0692858AAAA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "BF24E7BA-3144-4DBA-9613-A44FBE0822F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.6:*:*:*:*:*:*:*",
"matchCriteriaId": "029430A5-85BD-4258-B58D-F3DCBC625E5B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.7:*:*:*:*:*:*:*",
"matchCriteriaId": "4183DB7F-FAB3-4D90-AD87-31CA4150CFDD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.8:*:*:*:*:*:*:*",
"matchCriteriaId": "3E2B90B8-DC02-4C79-BD69-DEF79945C418",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.02:*:*:*:*:*:*:*",
"matchCriteriaId": "C5C52215-D236-4D1A-9E30-14B9676FB68A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B48D2EDF-86C2-475C-9476-E5A2D586CA0E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "B6725373-C229-4B57-BB1E-AF178E19DEB0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "36E4C84A-21D5-4C9A-85F8-45C9657CE6F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "C7E55085-E3E3-4BB8-A680-19A28D7E88F4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "AB01A9AA-AE70-46DF-815A-05D1101EE706",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "98AFD77B-A046-4AB9-B6F4-FFFF66C63C68",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.6:*:*:*:*:*:*:*",
"matchCriteriaId": "AA00D38E-AAF6-4F66-9203-5C074FC61F30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.7:*:*:*:*:*:*:*",
"matchCriteriaId": "137A8CED-BE82-462F-B83C-15F535961E74",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.8:*:*:*:*:*:*:*",
"matchCriteriaId": "D179FDB6-9B1D-438C-B512-9A5C4F869A4C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.9:*:*:*:*:*:*:*",
"matchCriteriaId": "B3E72A13-6B4A-4C7F-B8D9-A2D35E074B67",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.10:*:*:*:*:*:*:*",
"matchCriteriaId": "3A2D344F-4671-4194-A553-A5773B5DF3B1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.11:*:*:*:*:*:*:*",
"matchCriteriaId": "245760C8-DC10-47F1-843A-461AE2F3DF61",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.12:*:*:*:*:*:*:*",
"matchCriteriaId": "A055E6BF-3CAC-4C74-8E37-A89E3E0F8559",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.13:*:*:*:*:*:*:*",
"matchCriteriaId": "1121A071-3709-4B2B-ADF4-EDC560F73E0A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.14:*:*:*:*:*:*:*",
"matchCriteriaId": "71FD2842-7E00-440F-8A93-9D3F45A004DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.03:*:*:*:*:*:*:*",
"matchCriteriaId": "F6ABDEE8-D463-47CA-998D-33472F3382F3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.3:pre-1.0:*:*:*:*:*:*",
"matchCriteriaId": "16C45BFE-A083-4DC8-A2E5-9BCE543F5AE4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.04:*:*:*:*:*:*:*",
"matchCriteriaId": "DE44965F-F968-4CD2-9F21-1E1A92F5F7F2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "3FC8864E-161F-408E-93D6-693A9238C494",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "4C5965DE-D9B6-4074-B14B-ABCAAAAB872B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "9503D6C2-DCBC-4720-BE29-34913950407E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.3:*:*:*:*:*:*:*",
"matchCriteriaId": "0F6FC2B1-45DF-439E-8BAE-A15A08E7D9F7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.4:*:*:*:*:*:*:*",
"matchCriteriaId": "853E94FE-A56F-44B0-87FE-DE5927B7A547",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.5:*:*:*:*:*:*:*",
"matchCriteriaId": "49C7F758-9E38-4870-85C3-11E350F96641",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.6:*:*:*:*:*:*:*",
"matchCriteriaId": "B46B7E13-51F8-4950-BBB4-A03B8E5B4750",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.7:*:*:*:*:*:*:*",
"matchCriteriaId": "58C9C804-6901-412C-B178-183417BD5C04",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.8:*:*:*:*:*:*:*",
"matchCriteriaId": "A00F1254-67DE-436D-AB83-1C55639BDBD2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.9:*:*:*:*:*:*:*",
"matchCriteriaId": "AC2FDC2B-2CB4-433F-9290-3A6BE0A929B5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.10:*:*:*:*:*:*:*",
"matchCriteriaId": "1FF9452B-CF4B-45F0-8487-23D9CCBB1A4A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.11:*:*:*:*:*:*:*",
"matchCriteriaId": "2021275B-D61A-4309-8876-5354E115CB29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.12:*:*:*:*:*:*:*",
"matchCriteriaId": "7925DEA1-8062-45C9-94E7-19D8FACEAFCD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.13:*:*:*:*:*:*:*",
"matchCriteriaId": "D35E537F-0F49-40AB-9E97-7898D91353D1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.14:*:*:*:*:*:*:*",
"matchCriteriaId": "BCDC1181-A2B7-4D1B-B2BF-DAC9E58E88C3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.15:*:*:*:*:*:*:*",
"matchCriteriaId": "57C37D10-B945-4674-A846-BCEC573FF93C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.16:*:*:*:*:*:*:*",
"matchCriteriaId": "4FD245B9-1381-4A1B-AF47-F28349FA6F52",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "2AFD7848-56E4-4608-82E7-CFF46A8809AC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "CC489F94-3545-4E1A-AE9E-B88EB1A7D516",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.6.1:*:*:*:*:*:*:*",
"matchCriteriaId": "FBEB75D4-FAA4-4A5B-AA0A-57EE8EE88E61",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.6.2:*:*:*:*:*:*:*",
"matchCriteriaId": "00E51ABC-9F77-4028-BE47-D5BFD4FEC749",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.6.3:*:*:*:*:*:*:*",
"matchCriteriaId": "E0BD20D9-0DFC-451F-9C71-38C6D0236CF2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.6.4:*:*:*:*:*:*:*",
"matchCriteriaId": "FDFE35CB-05CC-4E6F-B188-1141773E7F10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.6.5:*:*:*:*:*:*:*",
"matchCriteriaId": "22A90F66-DAE9-45FC-B255-390D569CCC56",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple SQL injection vulnerabilities in MyBB (aka MyBulletinBoard) before 1.6.7 allow remote administrators to execute arbitrary SQL commands via unspecified vectors in the (1) user search or (2) Mail Log in the Admin Control Panel (ACP)."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades de inyecci\u00f3n SQL en MyBB (alias MyBulletinBoard) antes de v1.6.7 permiten a los administradores remotos ejecutar comandos SQL a trav\u00e9s de vectores no especificados en (1) la b\u00fasqueda de usuarios o (2) el registro de correo en el Panel de Control de Administraci\u00f3n (ACP).\r\n"
}
],
"id": "CVE-2012-2324",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2012-08-13T18:55:01.037",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://blog.mybb.com/2012/04/01/mybb-1-6-7-update-1-8-development/"
},
{
"source": "secalert@redhat.com",
"url": "http://www.openwall.com/lists/oss-security/2012/05/07/13"
},
{
"source": "secalert@redhat.com",
"url": "http://www.openwall.com/lists/oss-security/2012/05/07/14"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/bid/53417"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://blog.mybb.com/2012/04/01/mybb-1-6-7-update-1-8-development/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2012/05/07/13"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2012/05/07/14"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/53417"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2005-12-13 11:03
Modified
2025-04-03 01:03
Severity ?
Summary
Multiple SQL injection vulnerabilities in MyBulletinBoard (MyBB) before 1.0 allow remote attackers to execute arbitrary SQL commands via the (1) month, (2) day, and (3) year parameters in an addevent action in calendar.php; (4) threadmode and (5) showcodebuttons in an options action in usercp.php; (6) list parameter in an editlists action to usercp.php; (7) rating parameter in a rate action in member.php; and (8) rating parameter in either showthread.php or ratethread.php.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:mybb:*:pr2:*:*:*:*:*:*",
"matchCriteriaId": "FCA236E2-038D-443E-BF77-2BF21B11BAE6",
"versionEndIncluding": "1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.0:beta4:*:*:*:*:*:*",
"matchCriteriaId": "C14F8B95-1A33-4DA8-8DE4-35C7DC3590CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.0:pr1:*:*:*:*:*:*",
"matchCriteriaId": "CD7728CD-1FA0-4428-B3FC-883781A699CD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "B85E419B-F9D3-4839-A15C-F22BF9DABFAC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "EAB8B860-71DC-4F45-9E2A-74BD1C2ED893",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "C67749DF-F8AF-4C88-A120-0F48307C58E1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.0:rc4:*:*:*:*:*:*",
"matchCriteriaId": "FD0820A0-5D85-446F-9B7E-F8DB258A1178",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple SQL injection vulnerabilities in MyBulletinBoard (MyBB) before 1.0 allow remote attackers to execute arbitrary SQL commands via the (1) month, (2) day, and (3) year parameters in an addevent action in calendar.php; (4) threadmode and (5) showcodebuttons in an options action in usercp.php; (6) list parameter in an editlists action to usercp.php; (7) rating parameter in a rate action in member.php; and (8) rating parameter in either showthread.php or ratethread.php."
}
],
"id": "CVE-2005-4199",
"lastModified": "2025-04-03T01:03:51.193",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": true,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2005-12-13T11:03:00.000",
"references": [
{
"source": "cve@mitre.org",
"url": "http://archives.neohapsis.com/archives/fulldisclosure/2005-12/0379.html"
},
{
"source": "cve@mitre.org",
"url": "http://community.mybboard.net/showthread.php?tid=5184\u0026pid=30964#pid30964"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/18000"
},
{
"source": "cve@mitre.org",
"url": "http://securityreason.com/securityalert/246"
},
{
"source": "cve@mitre.org",
"url": "http://securityreason.com/securityalert/294"
},
{
"source": "cve@mitre.org",
"url": "http://securitytracker.com/id?1015407"
},
{
"source": "cve@mitre.org",
"url": "http://www.osvdb.org/22156"
},
{
"source": "cve@mitre.org",
"url": "http://www.osvdb.org/22157"
},
{
"source": "cve@mitre.org",
"url": "http://www.osvdb.org/22158"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/419067/100/0/threaded"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/420159/100/0/threaded"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://www.securityfocus.com/bid/15793"
},
{
"source": "cve@mitre.org",
"url": "http://www.trapkit.de/advisories/TKADV2005-12-001.txt"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://www.trapkit.de/advisories/TKPN2005-12-001.txt"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://www.vupen.com/english/advisories/2005/2842"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://archives.neohapsis.com/archives/fulldisclosure/2005-12/0379.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://community.mybboard.net/showthread.php?tid=5184\u0026pid=30964#pid30964"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/18000"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://securityreason.com/securityalert/246"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://securityreason.com/securityalert/294"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://securitytracker.com/id?1015407"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.osvdb.org/22156"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.osvdb.org/22157"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.osvdb.org/22158"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/419067/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/420159/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://www.securityfocus.com/bid/15793"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.trapkit.de/advisories/TKADV2005-12-001.txt"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://www.trapkit.de/advisories/TKPN2005-12-001.txt"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://www.vupen.com/english/advisories/2005/2842"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-11-10 23:29
Modified
2025-04-20 01:37
Severity ?
Summary
The installer in MyBB before 1.8.13 has XSS.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://blog.mybb.com/2017/11/07/mybb-1-8-13-released-security-maintenance-release/ | Release Notes, Vendor Advisory | |
| cve@mitre.org | https://www.exploit-db.com/exploits/43137/ | Exploit, Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://blog.mybb.com/2017/11/07/mybb-1-8-13-released-security-maintenance-release/ | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.exploit-db.com/exploits/43137/ | Exploit, Third Party Advisory, VDB Entry |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:mybb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "52EEFACF-D046-478B-801D-CC39CAAD6555",
"versionEndIncluding": "1.8.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The installer in MyBB before 1.8.13 has XSS."
},
{
"lang": "es",
"value": "El instalador en MyBB en versiones anteriores a la 1.8.13 tiene Cross-Site Scripting (XSS)."
}
],
"id": "CVE-2017-16781",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-11-10T23:29:00.277",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://blog.mybb.com/2017/11/07/mybb-1-8-13-released-security-maintenance-release/"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.exploit-db.com/exploits/43137/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://blog.mybb.com/2017/11/07/mybb-1-8-13-released-security-maintenance-release/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.exploit-db.com/exploits/43137/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-03-15 18:15
Modified
2024-11-21 05:58
Severity ?
Summary
SQL Injection vulnerability in MyBB before 1.8.26 via the Copy Forum feature in Forum Management. (issue 2 of 3).
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/mybb/mybb/security/advisories/GHSA-jjx8-8mcp-7h65 | Patch, Release Notes, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/mybb/mybb/security/advisories/GHSA-jjx8-8mcp-7h65 | Patch, Release Notes, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:mybb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E92578FF-AAA5-4F8F-8D78-0662DB9BB02C",
"versionEndExcluding": "1.8.26",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SQL Injection vulnerability in MyBB before 1.8.26 via the Copy Forum feature in Forum Management. (issue 2 of 3)."
},
{
"lang": "es",
"value": "Una vulnerabilidad de inyecci\u00f3n SQL en MyBB versiones anteriores a 1.8.26, por medio de la funcionalidad Copy Forum en Forum Management.\u0026#xa0;(n\u00famero 2 de 3)"
}
],
"id": "CVE-2021-27947",
"lastModified": "2024-11-21T05:58:53.490",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-03-15T18:15:18.830",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/mybb/mybb/security/advisories/GHSA-jjx8-8mcp-7h65"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/mybb/mybb/security/advisories/GHSA-jjx8-8mcp-7h65"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2018-09-17 04:29
Modified
2024-11-21 03:53
Severity ?
Summary
A Persistent XSS issue was discovered in the Visual Editor in MyBB before 1.8.19 via a Video MyCode.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://blog.mybb.com/2018/09/11/mybb-1-8-19-released-security-maintenance-release/ | Release Notes, Vendor Advisory | |
| cve@mitre.org | https://www.exploit-db.com/exploits/45449/ | Exploit, Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://blog.mybb.com/2018/09/11/mybb-1-8-19-released-security-maintenance-release/ | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.exploit-db.com/exploits/45449/ | Exploit, Third Party Advisory, VDB Entry |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:mybb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E88CBA36-C42E-4C23-9488-88C8D6E73E12",
"versionEndExcluding": "1.8.19",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A Persistent XSS issue was discovered in the Visual Editor in MyBB before 1.8.19 via a Video MyCode."
},
{
"lang": "es",
"value": "Se ha descubierto un problema de Cross-Site Scripting (XSS) persistente en Visual Editor en MyBB en versiones anteriores a la 1.8.19 mediante Video MyCode."
}
],
"id": "CVE-2018-17128",
"lastModified": "2024-11-21T03:53:54.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-09-17T04:29:00.953",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://blog.mybb.com/2018/09/11/mybb-1-8-19-released-security-maintenance-release/"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.exploit-db.com/exploits/45449/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://blog.mybb.com/2018/09/11/mybb-1-8-19-released-security-maintenance-release/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.exploit-db.com/exploits/45449/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2018-02-21 20:29
Modified
2024-11-21 04:11
Severity ?
Summary
MyBB 1.8.14 is not checking for a valid CSRF token, leading to arbitrary deletion of user accounts.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://websecnerd.blogspot.in/2018/02/mybb-forum-1_21.html | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://websecnerd.blogspot.in/2018/02/mybb-forum-1_21.html | Exploit, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:mybb:1.8.14:*:*:*:*:*:*:*",
"matchCriteriaId": "8DF54ECF-097F-490E-8657-655328421CF9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "MyBB 1.8.14 is not checking for a valid CSRF token, leading to arbitrary deletion of user accounts."
},
{
"lang": "es",
"value": "MyBB 1.8.14 no comprueba un token CSRF v\u00e1lido, lo que conduce al borrado arbitrario de cuentas de usuario."
}
],
"id": "CVE-2018-7305",
"lastModified": "2024-11-21T04:11:58.610",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N",
"version": "3.0"
},
"exploitabilityScore": 1.2,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-02-21T20:29:00.473",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://websecnerd.blogspot.in/2018/02/mybb-forum-1_21.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://websecnerd.blogspot.in/2018/02/mybb-forum-1_21.html"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-01-31 22:59
Modified
2025-04-20 01:37
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 might allow remote attackers to inject arbitrary web script or HTML via vectors related to login.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://www.openwall.com/lists/oss-security/2016/11/10/8 | Mailing List, Patch, Third Party Advisory | |
| cve@mitre.org | http://www.openwall.com/lists/oss-security/2016/11/18/1 | Mailing List, Patch, Third Party Advisory | |
| cve@mitre.org | http://www.securityfocus.com/bid/94395 | Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://blog.mybb.com/2016/03/11/mybb-1-8-7-merge-system-1-8-7-release/ | Patch, Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2016/11/10/8 | Mailing List, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2016/11/18/1 | Mailing List, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/94395 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://blog.mybb.com/2016/03/11/mybb-1-8-7-merge-system-1-8-7-release/ | Patch, Release Notes, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mybb | merge_system | * | |
| mybb | mybb | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:merge_system:*:*:*:*:*:*:*:*",
"matchCriteriaId": "716986AC-5E6D-4DDD-A553-B88981BDE788",
"versionEndIncluding": "1.8.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2212E819-C064-4963-BCD2-214F09A46902",
"versionEndIncluding": "1.8.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 might allow remote attackers to inject arbitrary web script or HTML via vectors related to login."
},
{
"lang": "es",
"value": "Vulnerabilidad de XSS en MyBB (tambi\u00e9n conocido como MyBulletinBoard) en versiones anteriores a 1.8.7 y MyBB Merge System en versiones anteriores a 1.8.7 podr\u00edan permitir a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a trav\u00e9s de vectores relacionados con el inicio de sesi\u00f3n."
}
],
"id": "CVE-2016-9404",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-01-31T22:59:01.093",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/10/8"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/18/1"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/94395"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Release Notes",
"Vendor Advisory"
],
"url": "https://blog.mybb.com/2016/03/11/mybb-1-8-7-merge-system-1-8-7-release/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/10/8"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/18/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/94395"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Release Notes",
"Vendor Advisory"
],
"url": "https://blog.mybb.com/2016/03/11/mybb-1-8-7-merge-system-1-8-7-release/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2012-11-17 21:55
Modified
2025-04-11 00:51
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in admin/modules/user/users.php in MyBB (aka MyBulletinBoard) 1.6.6 allows remote attackers to inject arbitrary web script or HTML via the conditions[usergroup][] parameter in a search action to admin/index.php.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:mybb:1.6.6:*:*:*:*:*:*:*",
"matchCriteriaId": "E1A3FDDB-9488-405B-A2A0-500CF49061BE",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in admin/modules/user/users.php in MyBB (aka MyBulletinBoard) 1.6.6 allows remote attackers to inject arbitrary web script or HTML via the conditions[usergroup][] parameter in a search action to admin/index.php."
},
{
"lang": "es",
"value": "Una vulnerabilidad de ejecuci\u00f3n de comandos en sitios cruzados (XSS) en admin/modules/user/users.php en MyBB (alias MyBulletinBoard) v1.6.6 permite a atacantes remotos inyectar secuencias de comandos web o HTML a trav\u00e9s del par\u00e1metro conditions[usergroup][] en una acci\u00f3n de b\u00fasqueda a admin/index.php."
}
],
"id": "CVE-2012-5908",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2012-11-17T21:55:05.487",
"references": [
{
"source": "cve@mitre.org",
"url": "http://osvdb.org/80633"
},
{
"source": "cve@mitre.org",
"url": "http://packetstormsecurity.org/files/111238/MyBB-1.6.6-Cross-Site-Scripting-SQL-Injection.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://www.securityfocus.com/bid/52743"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/74397"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://osvdb.org/80633"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://packetstormsecurity.org/files/111238/MyBB-1.6.6-Cross-Site-Scripting-SQL-Injection.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.securityfocus.com/bid/52743"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/74397"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-10-26 22:15
Modified
2024-11-21 06:26
Severity ?
Summary
MyBB before 1.8.28 allows stored XSS because the displayed Template Name value in the Admin CP's theme management is not escaped properly.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/mybb/mybb/security/advisories/ | Third Party Advisory | |
| cve@mitre.org | https://github.com/mybb/mybb/security/advisories/GHSA-gxhv-r3m5-6qv7 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/mybb/mybb/security/advisories/ | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/mybb/mybb/security/advisories/GHSA-gxhv-r3m5-6qv7 | Patch, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:mybb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "69AA234A-F7F0-43AD-854E-1C65C38D480C",
"versionEndExcluding": "1.8.28",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "MyBB before 1.8.28 allows stored XSS because the displayed Template Name value in the Admin CP\u0027s theme management is not escaped properly."
},
{
"lang": "es",
"value": "MyBB versiones anteriores a 1.8.28, permite un ataque de tipo XSS almacenado porque el valor del Nombre de la Plantilla que se muestra en la administraci\u00f3n de temas del CP de Administraci\u00f3n no escapa apropiadamente"
}
],
"id": "CVE-2021-41866",
"lastModified": "2024-11-21T06:26:55.367",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-10-26T22:15:08.207",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/mybb/mybb/security/advisories/"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/mybb/mybb/security/advisories/GHSA-gxhv-r3m5-6qv7"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/mybb/mybb/security/advisories/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/mybb/mybb/security/advisories/GHSA-gxhv-r3m5-6qv7"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-01-31 22:59
Modified
2025-04-20 01:37
Severity ?
Summary
MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 allow remote attackers to obtain sensitive information by leveraging missing directory listing protection in upload directories.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://www.openwall.com/lists/oss-security/2016/11/10/8 | Mailing List, Patch, Third Party Advisory | |
| cve@mitre.org | http://www.openwall.com/lists/oss-security/2016/11/18/1 | Mailing List, Patch, Third Party Advisory | |
| cve@mitre.org | http://www.securityfocus.com/bid/94395 | Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://blog.mybb.com/2016/03/11/mybb-1-8-7-merge-system-1-8-7-release/ | Patch, Third Party Advisory, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2016/11/10/8 | Mailing List, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2016/11/18/1 | Mailing List, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/94395 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://blog.mybb.com/2016/03/11/mybb-1-8-7-merge-system-1-8-7-release/ | Patch, Third Party Advisory, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mybb | merge_system | * | |
| mybb | mybb | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:merge_system:*:*:*:*:*:*:*:*",
"matchCriteriaId": "716986AC-5E6D-4DDD-A553-B88981BDE788",
"versionEndIncluding": "1.8.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2212E819-C064-4963-BCD2-214F09A46902",
"versionEndIncluding": "1.8.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 allow remote attackers to obtain sensitive information by leveraging missing directory listing protection in upload directories."
},
{
"lang": "es",
"value": "MyBB (tambi\u00e9n conocido como MyBulletinBoard) en versiones anteriores a 1.8.7 y MyBB Merge System en versiones anteriores a 1.8.7 permiten a atacantes remotos obtener informaci\u00f3n sensible aprovechando la protecci\u00f3n de la lista de directorios ausentes en los directorios de subida."
}
],
"id": "CVE-2016-9414",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-01-31T22:59:01.487",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/10/8"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/18/1"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/94395"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory",
"Vendor Advisory"
],
"url": "https://blog.mybb.com/2016/03/11/mybb-1-8-7-merge-system-1-8-7-release/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/10/8"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/18/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/94395"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory",
"Vendor Advisory"
],
"url": "https://blog.mybb.com/2016/03/11/mybb-1-8-7-merge-system-1-8-7-release/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-01-31 22:59
Modified
2025-04-20 01:37
Severity ?
Summary
MyBB (aka MyBulletinBoard) before 1.8.8 on Windows and MyBB Merge System before 1.8.8 on Windows might allow remote attackers to obtain sensitive information from ACP backups via vectors involving a short name.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://www.openwall.com/lists/oss-security/2016/11/10/8 | Mailing List, Patch, Third Party Advisory | |
| cve@mitre.org | http://www.openwall.com/lists/oss-security/2016/11/18/1 | Mailing List, Patch, Third Party Advisory | |
| cve@mitre.org | http://www.securityfocus.com/bid/94396 | Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://blog.mybb.com/2016/10/17/mybb-1-8-8-merge-system-1-8-8-release/ | Patch, Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2016/11/10/8 | Mailing List, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2016/11/18/1 | Mailing List, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/94396 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://blog.mybb.com/2016/10/17/mybb-1-8-8-merge-system-1-8-8-release/ | Patch, Release Notes, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:merge_system:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FC4E25F3-7C9D-45E3-8330-961A56BC3C48",
"versionEndIncluding": "1.8.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "78D16782-41C7-4001-8DD1-C7A09B347733",
"versionEndIncluding": "1.8.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:microsoft:windows:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2CF61F35-5905-4BA9-AD7E-7DB261D2F256",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "MyBB (aka MyBulletinBoard) before 1.8.8 on Windows and MyBB Merge System before 1.8.8 on Windows might allow remote attackers to obtain sensitive information from ACP backups via vectors involving a short name."
},
{
"lang": "es",
"value": "MyBB (tambi\u00e9n conocido como MyBulletinBoard) en versiones anteriores a 1.8.8 en Windows y MyBB Merge System en versiones anteriores a 1.8.8 en Windows podr\u00edan permitir a atacantes remotos obtener informaci\u00f3n sensible de las copias de seguridad de ACP a trav\u00e9s de vectores que implican un nombre corto."
}
],
"id": "CVE-2016-9418",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-01-31T22:59:01.640",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/10/8"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/18/1"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/94396"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Release Notes",
"Vendor Advisory"
],
"url": "https://blog.mybb.com/2016/10/17/mybb-1-8-8-merge-system-1-8-8-release/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/10/8"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/18/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/94396"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Release Notes",
"Vendor Advisory"
],
"url": "https://blog.mybb.com/2016/10/17/mybb-1-8-8-merge-system-1-8-8-release/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-08-13 21:15
Modified
2025-08-14 17:42
Severity ?
Summary
myBB version 1.6.4 was distributed with an unauthorized backdoor embedded in the source code. The backdoor allowed remote attackers to execute arbitrary PHP code by injecting payloads into a specially crafted collapsed cookie. This vulnerability was introduced during packaging and was not part of the intended application logic. Exploitation requires no authentication and results in full compromise of the web server under the context of the web application.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:mybb:1.6.4:*:*:*:*:*:*:*",
"matchCriteriaId": "FDFE35CB-05CC-4E6F-B188-1141773E7F10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "myBB version 1.6.4 was distributed with an unauthorized backdoor embedded in the source code. The backdoor allowed remote attackers to execute arbitrary PHP code by injecting payloads into a specially crafted collapsed cookie. This vulnerability was introduced during packaging and was not part of the intended application logic. Exploitation requires no authentication and results in full compromise of the web server under the context of the web application."
},
{
"lang": "es",
"value": "La versi\u00f3n 1.6.4 de myBB se distribuy\u00f3 con una puerta trasera no autorizada incrustada en el c\u00f3digo fuente. Esta puerta trasera permit\u00eda a atacantes remotos ejecutar c\u00f3digo PHP arbitrario inyectando payloads en una cookie colapsada especialmente manipulada. Esta vulnerabilidad se introdujo durante el empaquetado y no formaba parte de la l\u00f3gica de la aplicaci\u00f3n. Su explotaci\u00f3n no requiere autenticaci\u00f3n y compromete por completo el servidor web en el contexto de la aplicaci\u00f3n web."
}
],
"id": "CVE-2011-10018",
"lastModified": "2025-08-14T17:42:18.333",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 10.0,
"baseSeverity": "CRITICAL",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "disclosure@vulncheck.com",
"type": "Secondary"
}
]
},
"published": "2025-08-13T21:15:29.387",
"references": [
{
"source": "disclosure@vulncheck.com",
"tags": [
"Vendor Advisory"
],
"url": "https://blog.mybb.com/2011/10/06/1-6-4-security-vulnerabilit/"
},
{
"source": "disclosure@vulncheck.com",
"tags": [
"Product"
],
"url": "https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/mybb_backdoor.rb"
},
{
"source": "disclosure@vulncheck.com",
"tags": [
"Third Party Advisory"
],
"url": "https://web.archive.org/web/20111015224948/http://secunia.com/advisories/46300/"
},
{
"source": "disclosure@vulncheck.com",
"tags": [
"Exploit"
],
"url": "https://www.exploit-db.com/exploits/17949"
},
{
"source": "disclosure@vulncheck.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.vulncheck.com/advisories/mybb-backdoor-arbitrary-command-execution"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"tags": [
"Product"
],
"url": "https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/mybb_backdoor.rb"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"tags": [
"Exploit"
],
"url": "https://www.exploit-db.com/exploits/17949"
}
],
"sourceIdentifier": "disclosure@vulncheck.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-94"
},
{
"lang": "en",
"value": "CWE-912"
}
],
"source": "disclosure@vulncheck.com",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2008-09-11 01:13
Modified
2025-04-09 00:30
Severity ?
Summary
SQL injection vulnerability in misc.php in MyBB (aka MyBulletinBoard) before 1.4.1 allows remote attackers to execute arbitrary SQL commands via a certain editor field.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mybb | mybb | * | |
| mybb | mybb | 1.00 | |
| mybb | mybb | 1.01 | |
| mybb | mybb | 1.1.0 | |
| mybb | mybb | 1.1.1 | |
| mybb | mybb | 1.1.2 | |
| mybb | mybb | 1.1.3 | |
| mybb | mybb | 1.1.4 | |
| mybb | mybb | 1.1.5 | |
| mybb | mybb | 1.1.6 | |
| mybb | mybb | 1.1.7 | |
| mybb | mybb | 1.1.8 | |
| mybb | mybb | 1.02 | |
| mybb | mybb | 1.2 | |
| mybb | mybb | 1.2.0 | |
| mybb | mybb | 1.2.1 | |
| mybb | mybb | 1.2.2 | |
| mybb | mybb | 1.2.3 | |
| mybb | mybb | 1.2.4 | |
| mybb | mybb | 1.2.5 | |
| mybb | mybb | 1.2.6 | |
| mybb | mybb | 1.2.7 | |
| mybb | mybb | 1.2.8 | |
| mybb | mybb | 1.2.9 | |
| mybb | mybb | 1.2.10 | |
| mybb | mybb | 1.2.11 | |
| mybb | mybb | 1.2.12 | |
| mybb | mybb | 1.2.13 | |
| mybb | mybb | 1.03 | |
| mybb | mybb | 1.04 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:mybb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BE928783-BD14-4BCD-BC6E-13E406431705",
"versionEndIncluding": "1.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.00:*:*:*:*:*:*:*",
"matchCriteriaId": "BD61D970-9363-4A75-A8DB-D0EBA2CF0D53",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.01:*:*:*:*:*:*:*",
"matchCriteriaId": "990E206E-5E2C-4A68-9FDF-CD47F7524054",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "CF143B59-5C78-4BF6-9368-5BCF427B4753",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "B16F6F07-F5A9-47BF-88ED-25F068B68CF6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "A8A46A48-1361-4DD3-B97D-4C4FC776D68A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "337D89AE-1B7A-4101-B1F7-DFEDF2369385",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "BE08AF25-EDB1-4DA1-B431-F0692858AAAA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "BF24E7BA-3144-4DBA-9613-A44FBE0822F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.6:*:*:*:*:*:*:*",
"matchCriteriaId": "029430A5-85BD-4258-B58D-F3DCBC625E5B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.7:*:*:*:*:*:*:*",
"matchCriteriaId": "4183DB7F-FAB3-4D90-AD87-31CA4150CFDD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.8:*:*:*:*:*:*:*",
"matchCriteriaId": "3E2B90B8-DC02-4C79-BD69-DEF79945C418",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.02:*:*:*:*:*:*:*",
"matchCriteriaId": "C5C52215-D236-4D1A-9E30-14B9676FB68A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "4E080342-93CD-4E74-AE60-5858738CE7F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B48D2EDF-86C2-475C-9476-E5A2D586CA0E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "B6725373-C229-4B57-BB1E-AF178E19DEB0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "36E4C84A-21D5-4C9A-85F8-45C9657CE6F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "C7E55085-E3E3-4BB8-A680-19A28D7E88F4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "AB01A9AA-AE70-46DF-815A-05D1101EE706",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "98AFD77B-A046-4AB9-B6F4-FFFF66C63C68",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.6:*:*:*:*:*:*:*",
"matchCriteriaId": "AA00D38E-AAF6-4F66-9203-5C074FC61F30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.7:*:*:*:*:*:*:*",
"matchCriteriaId": "137A8CED-BE82-462F-B83C-15F535961E74",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.8:*:*:*:*:*:*:*",
"matchCriteriaId": "D179FDB6-9B1D-438C-B512-9A5C4F869A4C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.9:*:*:*:*:*:*:*",
"matchCriteriaId": "B3E72A13-6B4A-4C7F-B8D9-A2D35E074B67",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.10:*:*:*:*:*:*:*",
"matchCriteriaId": "3A2D344F-4671-4194-A553-A5773B5DF3B1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.11:*:*:*:*:*:*:*",
"matchCriteriaId": "245760C8-DC10-47F1-843A-461AE2F3DF61",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.12:*:*:*:*:*:*:*",
"matchCriteriaId": "A055E6BF-3CAC-4C74-8E37-A89E3E0F8559",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.13:*:*:*:*:*:*:*",
"matchCriteriaId": "1121A071-3709-4B2B-ADF4-EDC560F73E0A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.03:*:*:*:*:*:*:*",
"matchCriteriaId": "F6ABDEE8-D463-47CA-998D-33472F3382F3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.04:*:*:*:*:*:*:*",
"matchCriteriaId": "DE44965F-F968-4CD2-9F21-1E1A92F5F7F2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in misc.php in MyBB (aka MyBulletinBoard) before 1.4.1 allows remote attackers to execute arbitrary SQL commands via a certain editor field."
},
{
"lang": "es",
"value": "Vulnerabilidad de inyecci\u00f3n SQL en misc.php de MyBB (tambi\u00e9n conocido como MyBulletinBoard) anterior a 1.4.1 permite a atacantes remotos ejecutar comandos SQL de su elecci\u00f3n mediante cierto editor de campos."
}
],
"evaluatorSolution": "Patch information - http://community.mybboard.net/showthread.php?tid=36022",
"id": "CVE-2008-3965",
"lastModified": "2025-04-09T00:30:58.490",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": true,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2008-09-11T01:13:47.663",
"references": [
{
"source": "cve@mitre.org",
"url": "http://community.mybboard.net/attachment.php?aid=10579"
},
{
"source": "cve@mitre.org",
"url": "http://community.mybboard.net/showthread.php?tid=36022"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/31760"
},
{
"source": "cve@mitre.org",
"url": "http://www.openwall.com/lists/oss-security/2008/09/09/1"
},
{
"source": "cve@mitre.org",
"url": "http://www.openwall.com/lists/oss-security/2008/09/09/9"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/31104"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://community.mybboard.net/attachment.php?aid=10579"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://community.mybboard.net/showthread.php?tid=36022"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/31760"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2008/09/09/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2008/09/09/9"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/31104"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-06-15 18:29
Modified
2024-11-21 04:23
Severity ?
Summary
In MyBB before 1.8.21, an attacker can abuse a default behavior of MySQL on many systems (that leads to truncation of strings that are too long for a database column) to create a PHP shell in the cache directory of a targeted forum via a crafted XML import, as demonstrated by truncation of aaaaaaaaaaaaaaaaaaaaaaaaaa.php.css to aaaaaaaaaaaaaaaaaaaaaaaaaa.php with a 30-character limit, aka theme import stylesheet name RCE.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://blog.mybb.com/2019/06/10/mybb-1-8-21-released-security-maintenance-release/ | Release Notes, Vendor Advisory | |
| cve@mitre.org | https://blog.ripstech.com/2019/mybb-stored-xss-to-rce/ | Exploit, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://blog.mybb.com/2019/06/10/mybb-1-8-21-released-security-maintenance-release/ | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://blog.ripstech.com/2019/mybb-stored-xss-to-rce/ | Exploit, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:mybb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "438D60BF-E8A0-41F9-AE8E-B17569ECD586",
"versionEndExcluding": "1.8.21",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In MyBB before 1.8.21, an attacker can abuse a default behavior of MySQL on many systems (that leads to truncation of strings that are too long for a database column) to create a PHP shell in the cache directory of a targeted forum via a crafted XML import, as demonstrated by truncation of aaaaaaaaaaaaaaaaaaaaaaaaaa.php.css to aaaaaaaaaaaaaaaaaaaaaaaaaa.php with a 30-character limit, aka theme import stylesheet name RCE."
},
{
"lang": "es",
"value": "En MyBB anterior a versi\u00f3n 1.8.21, un atacante puede abusar de un comportamiento por defecto de MySQL en muchos sistemas (lo que conlleva a un truncamiento de cadenas que muy largas para una columna de la base de datos) para crear un shell PHP en el directorio de cach\u00e9 de un foro apuntado por medio de un importaci\u00f3n XML creada, como es demostrado mediante el truncamiento de aaaaaaaaaaaaaaaaaaaaaaaa.php.css a aaaaaaaaaaaaaaaaaaaaaaaaaa.php con un l\u00edmite de 30 caracteres, tambi\u00e9n se conoce como Ejecuci\u00f3n de C\u00f3digo Remota (RCE) del nombre de la hoja de estilo (stylesheet name) theme import"
}
],
"id": "CVE-2019-12831",
"lastModified": "2024-11-21T04:23:40.667",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-06-15T18:29:00.283",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://blog.mybb.com/2019/06/10/mybb-1-8-21-released-security-maintenance-release/"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://blog.ripstech.com/2019/mybb-stored-xss-to-rce/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://blog.mybb.com/2019/06/10/mybb-1-8-21-released-security-maintenance-release/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://blog.ripstech.com/2019/mybb-stored-xss-to-rce/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2012-08-30 22:55
Modified
2025-04-11 00:51
Severity ?
Summary
Cross-site request forgery (CSRF) vulnerability in global.php in MyBB before 1.6.5 allows remote attackers to hijack the authentication of a user for requests that change the user's language via the language parameter.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mybb | mybb | * | |
| mybb | mybb | 1.1.0 | |
| mybb | mybb | 1.1.1 | |
| mybb | mybb | 1.1.2 | |
| mybb | mybb | 1.1.3 | |
| mybb | mybb | 1.1.4 | |
| mybb | mybb | 1.1.5 | |
| mybb | mybb | 1.1.6 | |
| mybb | mybb | 1.1.7 | |
| mybb | mybb | 1.1.8 | |
| mybb | mybb | 1.2 | |
| mybb | mybb | 1.2.0 | |
| mybb | mybb | 1.2.1 | |
| mybb | mybb | 1.2.2 | |
| mybb | mybb | 1.2.3 | |
| mybb | mybb | 1.2.4 | |
| mybb | mybb | 1.2.5 | |
| mybb | mybb | 1.2.6 | |
| mybb | mybb | 1.2.7 | |
| mybb | mybb | 1.2.8 | |
| mybb | mybb | 1.2.9 | |
| mybb | mybb | 1.2.10 | |
| mybb | mybb | 1.2.11 | |
| mybb | mybb | 1.2.12 | |
| mybb | mybb | 1.2.13 | |
| mybb | mybb | 1.2.14 | |
| mybb | mybb | 1.3 | |
| mybb | mybb | 1.4.0 | |
| mybb | mybb | 1.4.1 | |
| mybb | mybb | 1.4.2 | |
| mybb | mybb | 1.4.3 | |
| mybb | mybb | 1.4.4 | |
| mybb | mybb | 1.4.5 | |
| mybb | mybb | 1.4.6 | |
| mybb | mybb | 1.4.7 | |
| mybb | mybb | 1.4.8 | |
| mybb | mybb | 1.4.9 | |
| mybb | mybb | 1.4.10 | |
| mybb | mybb | 1.4.11 | |
| mybb | mybb | 1.4.12 | |
| mybb | mybb | 1.4.13 | |
| mybb | mybb | 1.4.14 | |
| mybb | mybb | 1.4.15 | |
| mybb | mybb | 1.4.16 | |
| mybb | mybb | 1.5.1 | |
| mybb | mybb | 1.5.2 | |
| mybb | mybb | 1.6.0 | |
| mybb | mybb | 1.6.1 | |
| mybb | mybb | 1.6.2 | |
| mybb | mybb | 1.6.3 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:mybb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6EF48E06-2401-400C-B4DB-F26505D0638C",
"versionEndIncluding": "1.6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "CF143B59-5C78-4BF6-9368-5BCF427B4753",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "B16F6F07-F5A9-47BF-88ED-25F068B68CF6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "A8A46A48-1361-4DD3-B97D-4C4FC776D68A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "337D89AE-1B7A-4101-B1F7-DFEDF2369385",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "BE08AF25-EDB1-4DA1-B431-F0692858AAAA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "BF24E7BA-3144-4DBA-9613-A44FBE0822F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.6:*:*:*:*:*:*:*",
"matchCriteriaId": "029430A5-85BD-4258-B58D-F3DCBC625E5B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.7:*:*:*:*:*:*:*",
"matchCriteriaId": "4183DB7F-FAB3-4D90-AD87-31CA4150CFDD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.8:*:*:*:*:*:*:*",
"matchCriteriaId": "3E2B90B8-DC02-4C79-BD69-DEF79945C418",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "4E080342-93CD-4E74-AE60-5858738CE7F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B48D2EDF-86C2-475C-9476-E5A2D586CA0E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "B6725373-C229-4B57-BB1E-AF178E19DEB0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "36E4C84A-21D5-4C9A-85F8-45C9657CE6F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "C7E55085-E3E3-4BB8-A680-19A28D7E88F4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "AB01A9AA-AE70-46DF-815A-05D1101EE706",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "98AFD77B-A046-4AB9-B6F4-FFFF66C63C68",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.6:*:*:*:*:*:*:*",
"matchCriteriaId": "AA00D38E-AAF6-4F66-9203-5C074FC61F30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.7:*:*:*:*:*:*:*",
"matchCriteriaId": "137A8CED-BE82-462F-B83C-15F535961E74",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.8:*:*:*:*:*:*:*",
"matchCriteriaId": "D179FDB6-9B1D-438C-B512-9A5C4F869A4C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.9:*:*:*:*:*:*:*",
"matchCriteriaId": "B3E72A13-6B4A-4C7F-B8D9-A2D35E074B67",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.10:*:*:*:*:*:*:*",
"matchCriteriaId": "3A2D344F-4671-4194-A553-A5773B5DF3B1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.11:*:*:*:*:*:*:*",
"matchCriteriaId": "245760C8-DC10-47F1-843A-461AE2F3DF61",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.12:*:*:*:*:*:*:*",
"matchCriteriaId": "A055E6BF-3CAC-4C74-8E37-A89E3E0F8559",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.13:*:*:*:*:*:*:*",
"matchCriteriaId": "1121A071-3709-4B2B-ADF4-EDC560F73E0A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.14:*:*:*:*:*:*:*",
"matchCriteriaId": "71FD2842-7E00-440F-8A93-9D3F45A004DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.3:pre-1.0:*:*:*:*:*:*",
"matchCriteriaId": "16C45BFE-A083-4DC8-A2E5-9BCE543F5AE4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "3FC8864E-161F-408E-93D6-693A9238C494",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "4C5965DE-D9B6-4074-B14B-ABCAAAAB872B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "9503D6C2-DCBC-4720-BE29-34913950407E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.3:*:*:*:*:*:*:*",
"matchCriteriaId": "0F6FC2B1-45DF-439E-8BAE-A15A08E7D9F7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.4:*:*:*:*:*:*:*",
"matchCriteriaId": "853E94FE-A56F-44B0-87FE-DE5927B7A547",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.5:*:*:*:*:*:*:*",
"matchCriteriaId": "49C7F758-9E38-4870-85C3-11E350F96641",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.6:*:*:*:*:*:*:*",
"matchCriteriaId": "B46B7E13-51F8-4950-BBB4-A03B8E5B4750",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.7:*:*:*:*:*:*:*",
"matchCriteriaId": "58C9C804-6901-412C-B178-183417BD5C04",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.8:*:*:*:*:*:*:*",
"matchCriteriaId": "A00F1254-67DE-436D-AB83-1C55639BDBD2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.9:*:*:*:*:*:*:*",
"matchCriteriaId": "AC2FDC2B-2CB4-433F-9290-3A6BE0A929B5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.10:*:*:*:*:*:*:*",
"matchCriteriaId": "1FF9452B-CF4B-45F0-8487-23D9CCBB1A4A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.11:*:*:*:*:*:*:*",
"matchCriteriaId": "2021275B-D61A-4309-8876-5354E115CB29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.12:*:*:*:*:*:*:*",
"matchCriteriaId": "7925DEA1-8062-45C9-94E7-19D8FACEAFCD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.13:*:*:*:*:*:*:*",
"matchCriteriaId": "D35E537F-0F49-40AB-9E97-7898D91353D1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.14:*:*:*:*:*:*:*",
"matchCriteriaId": "BCDC1181-A2B7-4D1B-B2BF-DAC9E58E88C3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.15:*:*:*:*:*:*:*",
"matchCriteriaId": "57C37D10-B945-4674-A846-BCEC573FF93C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.16:*:*:*:*:*:*:*",
"matchCriteriaId": "4FD245B9-1381-4A1B-AF47-F28349FA6F52",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "2AFD7848-56E4-4608-82E7-CFF46A8809AC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "CC489F94-3545-4E1A-AE9E-B88EB1A7D516",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E5B50C36-C3D7-48FD-805B-4A94E727C93F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.6.1:*:*:*:*:*:*:*",
"matchCriteriaId": "FBEB75D4-FAA4-4A5B-AA0A-57EE8EE88E61",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.6.2:*:*:*:*:*:*:*",
"matchCriteriaId": "00E51ABC-9F77-4028-BE47-D5BFD4FEC749",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.6.3:*:*:*:*:*:*:*",
"matchCriteriaId": "E0BD20D9-0DFC-451F-9C71-38C6D0236CF2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site request forgery (CSRF) vulnerability in global.php in MyBB before 1.6.5 allows remote attackers to hijack the authentication of a user for requests that change the user\u0027s language via the language parameter."
},
{
"lang": "es",
"value": "Vulnerabilidad de solicitudes falsificadas en sitios cruzados (CSRF) en global.php en MyBB anterior a v1.6.5 permite a atacantes remotos secuestrar la autenticaci\u00f3n de un usuario para solicitar un cambio de lenguaje del usuario a trav\u00e9s del par\u00e1metro de lenguaje."
}
],
"id": "CVE-2011-5131",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2012-08-30T22:55:04.137",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://blog.mybb.com/2011/11/25/mybb-1-6-5-released-feature-update-security-maintenance-release/"
},
{
"source": "cve@mitre.org",
"url": "http://dev.mybb.com/issues/1729"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/46951"
},
{
"source": "cve@mitre.org",
"url": "http://www.osvdb.org/77327"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/50816"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/71462"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://blog.mybb.com/2011/11/25/mybb-1-6-5-released-feature-update-security-maintenance-release/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://dev.mybb.com/issues/1729"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/46951"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.osvdb.org/77327"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/50816"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/71462"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-11-20 21:15
Modified
2025-07-07 18:07
Severity ?
Summary
A stored cross-site scripting (XSS) vulnerability in the component install\index.php of MyBB v1.8.38 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Website Name parameter.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/mybb/mybb/issues/4859 | Exploit, Issue Tracking, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:mybb:1.8.38:*:*:*:*:*:*:*",
"matchCriteriaId": "07E2BC41-5325-4F85-9235-61FF5CA894D1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A stored cross-site scripting (XSS) vulnerability in the component install\\index.php of MyBB v1.8.38 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Website Name parameter."
},
{
"lang": "es",
"value": "Una vulnerabilidad de cross site scripting (XSS) almacenado en el componente install\\index.php de MyBB v1.8.38 permite a los atacantes ejecutar secuencias de comandos web o HTML arbitrarios a trav\u00e9s de un payload manipulado e inyectado en el par\u00e1metro Nombre del sitio web."
}
],
"id": "CVE-2024-52702",
"lastModified": "2025-07-07T18:07:18.730",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2024-11-20T21:15:08.667",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://github.com/mybb/mybb/issues/4859"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-04-11 20:29
Modified
2024-11-21 03:57
Severity ?
Summary
A reflected XSS vulnerability in index.php in MyBB 1.8.x through 1.8.19 allows remote attackers to inject JavaScript via the 'upsetting[bburl]' parameter.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://blog.mybb.com/ | Release Notes, Vendor Advisory | |
| cve@mitre.org | https://mybb.com/versions/1.8.20/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://blog.mybb.com/ | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mybb.com/versions/1.8.20/ | Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:mybb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E1C328F1-B436-4995-A5C9-66F75C5930A9",
"versionEndExcluding": "1.8.20",
"versionStartIncluding": "1.8.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A reflected XSS vulnerability in index.php in MyBB 1.8.x through 1.8.19 allows remote attackers to inject JavaScript via the \u0027upsetting[bburl]\u0027 parameter."
},
{
"lang": "es",
"value": "Una vulnerabilidad de tipo XSS reflejada en el archivo index.php en MyBB versi\u00f3n 1.8.x hasta la 1.8.19, permite a atacantes remotos inyectar JavaScript por medio del par\u00e1metro \u0027upsetting[bburl]\u0027."
}
],
"id": "CVE-2018-19202",
"lastModified": "2024-11-21T03:57:32.650",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-04-11T20:29:00.370",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://blog.mybb.com/"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://mybb.com/versions/1.8.20/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://blog.mybb.com/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://mybb.com/versions/1.8.20/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2015-03-18 14:59
Modified
2025-04-12 10:46
Severity ?
Summary
A JSON library in MyBB (aka MyBulletinBoard) before 1.8.4 allows remote attackers to obtain the installation path via unknown vectors.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:mybb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AEC41207-93E4-416F-9670-6AC626CF0700",
"versionEndIncluding": "1.8.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A JSON library in MyBB (aka MyBulletinBoard) before 1.8.4 allows remote attackers to obtain the installation path via unknown vectors."
},
{
"lang": "es",
"value": "Una librar\u00eda JSON en MyBB (tambi\u00e9n conocido como MyBulletinBoard) anterior a 1.8.4 permite a atacantes remotos obtener la ruta de instalaci\u00f3n a trav\u00e9s de vectores desconocidos."
}
],
"id": "CVE-2015-2335",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": true,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2015-03-18T14:59:04.733",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://blog.mybb.com/2015/02/15/mybb-1-8-4-released-feature-update-security-maintenance-release/"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/73216"
},
{
"source": "cve@mitre.org",
"url": "http://www.securitytracker.com/id/1031953"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://blog.mybb.com/2015/02/15/mybb-1-8-4-released-feature-update-security-maintenance-release/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/73216"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securitytracker.com/id/1031953"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2014-12-03 21:59
Modified
2025-04-12 10:46
Severity ?
Summary
SQL injection vulnerability in member.php in MyBB (aka MyBulletinBoard) 1.8.x before 1.8.2 allows remote attackers to execute arbitrary SQL commands via the question_id parameter in a do_register action.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:mybb:1.8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E697D13C-5594-491B-B911-3B4BEA00AFCC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.8.1:*:*:*:*:*:*:*",
"matchCriteriaId": "00724054-858F-4322-8BE5-F6929CC2CAD8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in member.php in MyBB (aka MyBulletinBoard) 1.8.x before 1.8.2 allows remote attackers to execute arbitrary SQL commands via the question_id parameter in a do_register action."
},
{
"lang": "es",
"value": "Vulnerabilidad de inyecci\u00f3n SQL en member.php en MyBB (tambi\u00e9n conocido como MyBulletinBoard) 1.8.x anterior a 1.8.2 permite a atacantes remotos ejecutar comandos SQL arbitrarios a trav\u00e9s del par\u00e1metro question_id en una acci\u00f3n do_register."
}
],
"id": "CVE-2014-9240",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2014-12-03T21:59:10.400",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://blog.mybb.com/2014/11/13/mybb-1-8-2-released-security-release/"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://packetstormsecurity.com/files/129109/MyBB-1.8.1-Cross-Site-Scripting-SQL-Injection.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://blog.mybb.com/2014/11/13/mybb-1-8-2-released-security-release/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://packetstormsecurity.com/files/129109/MyBB-1.8.1-Cross-Site-Scripting-SQL-Injection.html"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2014-01-10 16:47
Modified
2025-04-11 00:51
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in the mycode_parse_video function in inc/class_parser.php in MyBB (aka MyBulletinBoard) before 1.6.12 allows remote attackers to inject arbitrary web script or HTML via vectors related to Yahoo video URLs.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mybb | mybb | * | |
| mybb | mybb | 1.00 | |
| mybb | mybb | 1.0 | |
| mybb | mybb | 1.0 | |
| mybb | mybb | 1.0 | |
| mybb | mybb | 1.0 | |
| mybb | mybb | 1.0 | |
| mybb | mybb | 1.0 | |
| mybb | mybb | 1.0 | |
| mybb | mybb | 1.01 | |
| mybb | mybb | 1.1.0 | |
| mybb | mybb | 1.1.1 | |
| mybb | mybb | 1.1.2 | |
| mybb | mybb | 1.1.3 | |
| mybb | mybb | 1.1.4 | |
| mybb | mybb | 1.1.5 | |
| mybb | mybb | 1.1.6 | |
| mybb | mybb | 1.1.7 | |
| mybb | mybb | 1.1.8 | |
| mybb | mybb | 1.02 | |
| mybb | mybb | 1.2 | |
| mybb | mybb | 1.2.0 | |
| mybb | mybb | 1.2.1 | |
| mybb | mybb | 1.2.2 | |
| mybb | mybb | 1.2.3 | |
| mybb | mybb | 1.2.4 | |
| mybb | mybb | 1.2.5 | |
| mybb | mybb | 1.2.6 | |
| mybb | mybb | 1.2.7 | |
| mybb | mybb | 1.2.8 | |
| mybb | mybb | 1.2.9 | |
| mybb | mybb | 1.2.10 | |
| mybb | mybb | 1.2.11 | |
| mybb | mybb | 1.2.12 | |
| mybb | mybb | 1.2.13 | |
| mybb | mybb | 1.2.14 | |
| mybb | mybb | 1.03 | |
| mybb | mybb | 1.3 | |
| mybb | mybb | 1.04 | |
| mybb | mybb | 1.4.0 | |
| mybb | mybb | 1.4.1 | |
| mybb | mybb | 1.4.2 | |
| mybb | mybb | 1.4.3 | |
| mybb | mybb | 1.4.4 | |
| mybb | mybb | 1.4.5 | |
| mybb | mybb | 1.4.6 | |
| mybb | mybb | 1.4.7 | |
| mybb | mybb | 1.4.8 | |
| mybb | mybb | 1.4.9 | |
| mybb | mybb | 1.4.10 | |
| mybb | mybb | 1.4.11 | |
| mybb | mybb | 1.4.12 | |
| mybb | mybb | 1.4.13 | |
| mybb | mybb | 1.4.14 | |
| mybb | mybb | 1.4.15 | |
| mybb | mybb | 1.4.16 | |
| mybb | mybb | 1.5.1 | |
| mybb | mybb | 1.5.2 | |
| mybb | mybb | 1.6.0 | |
| mybb | mybb | 1.6.1 | |
| mybb | mybb | 1.6.2 | |
| mybb | mybb | 1.6.3 | |
| mybb | mybb | 1.6.4 | |
| mybb | mybb | 1.6.5 | |
| mybb | mybb | 1.6.6 | |
| mybb | mybb | 1.6.7 | |
| mybb | mybb | 1.6.8 | |
| mybb | mybb | 1.6.9 | |
| mybb | mybb | 1.6.10 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:mybb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1AB176E2-A87C-4098-93F3-B6B4C09389FD",
"versionEndIncluding": "1.6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.00:*:*:*:*:*:*:*",
"matchCriteriaId": "BD61D970-9363-4A75-A8DB-D0EBA2CF0D53",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.0:beta4:*:*:*:*:*:*",
"matchCriteriaId": "C14F8B95-1A33-4DA8-8DE4-35C7DC3590CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.0:pr1:*:*:*:*:*:*",
"matchCriteriaId": "CD7728CD-1FA0-4428-B3FC-883781A699CD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.0:pr2:*:*:*:*:*:*",
"matchCriteriaId": "0883675F-9442-49E7-8471-C205B7EA201D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "B85E419B-F9D3-4839-A15C-F22BF9DABFAC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "EAB8B860-71DC-4F45-9E2A-74BD1C2ED893",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "C67749DF-F8AF-4C88-A120-0F48307C58E1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.0:rc4:*:*:*:*:*:*",
"matchCriteriaId": "FD0820A0-5D85-446F-9B7E-F8DB258A1178",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.01:*:*:*:*:*:*:*",
"matchCriteriaId": "990E206E-5E2C-4A68-9FDF-CD47F7524054",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "CF143B59-5C78-4BF6-9368-5BCF427B4753",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "B16F6F07-F5A9-47BF-88ED-25F068B68CF6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "A8A46A48-1361-4DD3-B97D-4C4FC776D68A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "337D89AE-1B7A-4101-B1F7-DFEDF2369385",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "BE08AF25-EDB1-4DA1-B431-F0692858AAAA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "BF24E7BA-3144-4DBA-9613-A44FBE0822F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.6:*:*:*:*:*:*:*",
"matchCriteriaId": "029430A5-85BD-4258-B58D-F3DCBC625E5B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.7:*:*:*:*:*:*:*",
"matchCriteriaId": "4183DB7F-FAB3-4D90-AD87-31CA4150CFDD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.8:*:*:*:*:*:*:*",
"matchCriteriaId": "3E2B90B8-DC02-4C79-BD69-DEF79945C418",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.02:*:*:*:*:*:*:*",
"matchCriteriaId": "C5C52215-D236-4D1A-9E30-14B9676FB68A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "4E080342-93CD-4E74-AE60-5858738CE7F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B48D2EDF-86C2-475C-9476-E5A2D586CA0E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "B6725373-C229-4B57-BB1E-AF178E19DEB0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "36E4C84A-21D5-4C9A-85F8-45C9657CE6F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "C7E55085-E3E3-4BB8-A680-19A28D7E88F4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "AB01A9AA-AE70-46DF-815A-05D1101EE706",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "98AFD77B-A046-4AB9-B6F4-FFFF66C63C68",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.6:*:*:*:*:*:*:*",
"matchCriteriaId": "AA00D38E-AAF6-4F66-9203-5C074FC61F30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.7:*:*:*:*:*:*:*",
"matchCriteriaId": "137A8CED-BE82-462F-B83C-15F535961E74",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.8:*:*:*:*:*:*:*",
"matchCriteriaId": "D179FDB6-9B1D-438C-B512-9A5C4F869A4C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.9:*:*:*:*:*:*:*",
"matchCriteriaId": "B3E72A13-6B4A-4C7F-B8D9-A2D35E074B67",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.10:*:*:*:*:*:*:*",
"matchCriteriaId": "3A2D344F-4671-4194-A553-A5773B5DF3B1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.11:*:*:*:*:*:*:*",
"matchCriteriaId": "245760C8-DC10-47F1-843A-461AE2F3DF61",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.12:*:*:*:*:*:*:*",
"matchCriteriaId": "A055E6BF-3CAC-4C74-8E37-A89E3E0F8559",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.13:*:*:*:*:*:*:*",
"matchCriteriaId": "1121A071-3709-4B2B-ADF4-EDC560F73E0A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.14:*:*:*:*:*:*:*",
"matchCriteriaId": "71FD2842-7E00-440F-8A93-9D3F45A004DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.03:*:*:*:*:*:*:*",
"matchCriteriaId": "F6ABDEE8-D463-47CA-998D-33472F3382F3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.3:pre-1.0:*:*:*:*:*:*",
"matchCriteriaId": "16C45BFE-A083-4DC8-A2E5-9BCE543F5AE4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.04:*:*:*:*:*:*:*",
"matchCriteriaId": "DE44965F-F968-4CD2-9F21-1E1A92F5F7F2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "3FC8864E-161F-408E-93D6-693A9238C494",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "4C5965DE-D9B6-4074-B14B-ABCAAAAB872B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "9503D6C2-DCBC-4720-BE29-34913950407E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.3:*:*:*:*:*:*:*",
"matchCriteriaId": "0F6FC2B1-45DF-439E-8BAE-A15A08E7D9F7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.4:*:*:*:*:*:*:*",
"matchCriteriaId": "853E94FE-A56F-44B0-87FE-DE5927B7A547",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.5:*:*:*:*:*:*:*",
"matchCriteriaId": "49C7F758-9E38-4870-85C3-11E350F96641",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.6:*:*:*:*:*:*:*",
"matchCriteriaId": "B46B7E13-51F8-4950-BBB4-A03B8E5B4750",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.7:*:*:*:*:*:*:*",
"matchCriteriaId": "58C9C804-6901-412C-B178-183417BD5C04",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.8:*:*:*:*:*:*:*",
"matchCriteriaId": "A00F1254-67DE-436D-AB83-1C55639BDBD2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.9:*:*:*:*:*:*:*",
"matchCriteriaId": "AC2FDC2B-2CB4-433F-9290-3A6BE0A929B5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.10:*:*:*:*:*:*:*",
"matchCriteriaId": "1FF9452B-CF4B-45F0-8487-23D9CCBB1A4A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.11:*:*:*:*:*:*:*",
"matchCriteriaId": "2021275B-D61A-4309-8876-5354E115CB29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.12:*:*:*:*:*:*:*",
"matchCriteriaId": "7925DEA1-8062-45C9-94E7-19D8FACEAFCD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.13:*:*:*:*:*:*:*",
"matchCriteriaId": "D35E537F-0F49-40AB-9E97-7898D91353D1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.14:*:*:*:*:*:*:*",
"matchCriteriaId": "BCDC1181-A2B7-4D1B-B2BF-DAC9E58E88C3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.15:*:*:*:*:*:*:*",
"matchCriteriaId": "57C37D10-B945-4674-A846-BCEC573FF93C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.16:*:*:*:*:*:*:*",
"matchCriteriaId": "4FD245B9-1381-4A1B-AF47-F28349FA6F52",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "2AFD7848-56E4-4608-82E7-CFF46A8809AC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "CC489F94-3545-4E1A-AE9E-B88EB1A7D516",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E5B50C36-C3D7-48FD-805B-4A94E727C93F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.6.1:*:*:*:*:*:*:*",
"matchCriteriaId": "FBEB75D4-FAA4-4A5B-AA0A-57EE8EE88E61",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.6.2:*:*:*:*:*:*:*",
"matchCriteriaId": "00E51ABC-9F77-4028-BE47-D5BFD4FEC749",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.6.3:*:*:*:*:*:*:*",
"matchCriteriaId": "E0BD20D9-0DFC-451F-9C71-38C6D0236CF2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.6.4:*:*:*:*:*:*:*",
"matchCriteriaId": "FDFE35CB-05CC-4E6F-B188-1141773E7F10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.6.5:*:*:*:*:*:*:*",
"matchCriteriaId": "22A90F66-DAE9-45FC-B255-390D569CCC56",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.6.6:*:*:*:*:*:*:*",
"matchCriteriaId": "E1A3FDDB-9488-405B-A2A0-500CF49061BE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.6.7:*:*:*:*:*:*:*",
"matchCriteriaId": "04264BC5-425C-47D4-9EE0-35BF11B904F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.6.8:*:*:*:*:*:*:*",
"matchCriteriaId": "5E42628F-7E7F-4E3A-BB8E-699166CB86B3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.6.9:*:*:*:*:*:*:*",
"matchCriteriaId": "A02FA2FA-E035-40CD-9C0F-A143A931D40D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.6.10:*:*:*:*:*:*:*",
"matchCriteriaId": "F52B8848-9103-4A78-A45B-6BE73855647A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the mycode_parse_video function in inc/class_parser.php in MyBB (aka MyBulletinBoard) before 1.6.12 allows remote attackers to inject arbitrary web script or HTML via vectors related to Yahoo video URLs."
},
{
"lang": "es",
"value": "Vulnerabilidad cross-site scripting (XSS) en la funci\u00f3n mycode_parse_video de inc/class_parser.php de MyBB (MyBulletinBoard) anteriores a 1.6.12 permite a atacantes remotos inyectar script web o HTML de forma arbitraria a trav\u00e9s de vectores relacionados con URLs de video Yahoo."
}
],
"id": "CVE-2013-7288",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2014-01-10T16:47:05.410",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://blog.mybb.com/2013/12/16/mybb-1-6-12-released-security-maintenance-release"
},
{
"source": "cve@mitre.org",
"url": "http://osvdb.org/show/osvdb/101544"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/55945"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/64570"
},
{
"source": "cve@mitre.org",
"url": "https://github.com/mybb/mybb/commit/238696e37d6a22b89e6bba11e4de3e6620cb5547"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://blog.mybb.com/2013/12/16/mybb-1-6-12-released-security-maintenance-release"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://osvdb.org/show/osvdb/101544"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/55945"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/64570"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://github.com/mybb/mybb/commit/238696e37d6a22b89e6bba11e4de3e6620cb5547"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-03-29 19:29
Modified
2024-11-21 03:57
Severity ?
Summary
A reflected XSS vulnerability in the ModCP Profile Editor in MyBB before 1.8.20 allows remote attackers to inject JavaScript via the 'username' parameter.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://blog.mybb.com/2019/02/27/mybb-1-8-20-released-security-maintenance-release/ | Release Notes, Vendor Advisory | |
| cve@mitre.org | https://github.com/mybb/mybb/blob/feature/SECURITY.md#technical-details-of-known-issues | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://blog.mybb.com/2019/02/27/mybb-1-8-20-released-security-maintenance-release/ | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/mybb/mybb/blob/feature/SECURITY.md#technical-details-of-known-issues | Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:mybb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "69E63376-C844-4044-928D-C59A063A8734",
"versionEndExcluding": "1.8.20",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A reflected XSS vulnerability in the ModCP Profile Editor in MyBB before 1.8.20 allows remote attackers to inject JavaScript via the \u0027username\u0027 parameter."
},
{
"lang": "es",
"value": "Una vulnerabilidad de XSS reflejado en el editor \"ModCP Profile\", en versiones anteriores a la 1.8.20, permite a los atacantes remotos inyectar c\u00f3digo JavaScript en el par\u00e1metro \"username\"."
}
],
"id": "CVE-2018-19201",
"lastModified": "2024-11-21T03:57:32.497",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-03-29T19:29:00.213",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://blog.mybb.com/2019/02/27/mybb-1-8-20-released-security-maintenance-release/"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/mybb/mybb/blob/feature/SECURITY.md#technical-details-of-known-issues"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://blog.mybb.com/2019/02/27/mybb-1-8-20-released-security-maintenance-release/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/mybb/mybb/blob/feature/SECURITY.md#technical-details-of-known-issues"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-01-31 22:59
Modified
2025-04-20 01:37
Severity ?
Summary
MyBB (aka MyBulletinBoard) before 1.8.8 on Windows and MyBB Merge System before 1.8.8 on Windows allow remote attackers to overwrite arbitrary CSS files via vectors related to "style import."
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://www.openwall.com/lists/oss-security/2016/11/10/8 | Mailing List, Patch, Third Party Advisory | |
| cve@mitre.org | http://www.openwall.com/lists/oss-security/2016/11/18/1 | Mailing List, Patch, Third Party Advisory | |
| cve@mitre.org | http://www.securityfocus.com/bid/94396 | Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://blog.mybb.com/2016/10/17/mybb-1-8-8-merge-system-1-8-8-release/ | Patch, Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2016/11/10/8 | Mailing List, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2016/11/18/1 | Mailing List, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/94396 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://blog.mybb.com/2016/10/17/mybb-1-8-8-merge-system-1-8-8-release/ | Patch, Release Notes, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:merge_system:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FC4E25F3-7C9D-45E3-8330-961A56BC3C48",
"versionEndIncluding": "1.8.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "78D16782-41C7-4001-8DD1-C7A09B347733",
"versionEndIncluding": "1.8.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:microsoft:windows:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2CF61F35-5905-4BA9-AD7E-7DB261D2F256",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "MyBB (aka MyBulletinBoard) before 1.8.8 on Windows and MyBB Merge System before 1.8.8 on Windows allow remote attackers to overwrite arbitrary CSS files via vectors related to \"style import.\""
},
{
"lang": "es",
"value": "MyBB (tambi\u00e9n conocido como MyBulletinBoard) en versiones anteriores a 1.8.8 en Windows y MyBB Merge System en versiones anteriores a 1.8.8 en Windows permiten a atacantes remotos sobrescribir archivos CSS arbitrarios a trav\u00e9s de vectores relacionados con \"importar estilo\"."
}
],
"id": "CVE-2016-9415",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-01-31T22:59:01.533",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/10/8"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/18/1"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/94396"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Release Notes",
"Vendor Advisory"
],
"url": "https://blog.mybb.com/2016/10/17/mybb-1-8-8-merge-system-1-8-8-release/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/10/8"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/18/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/94396"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Release Notes",
"Vendor Advisory"
],
"url": "https://blog.mybb.com/2016/10/17/mybb-1-8-8-merge-system-1-8-8-release/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-284"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-11-04 18:15
Modified
2024-11-21 06:28
Severity ?
Summary
MyBB before 1.8.29 allows Remote Code Injection by an admin with the "Can manage settings?" permission. The Admin CP's Settings management module does not validate setting types correctly on insertion and update, making it possible to add settings of supported type "php" with PHP code, executed on Change Settings pages.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/mybb/mybb/security/advisories/GHSA-8gxx-vmr9-h39p | Patch, Release Notes, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/mybb/mybb/security/advisories/GHSA-8gxx-vmr9-h39p | Patch, Release Notes, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:mybb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F65391CA-449D-44EE-8A72-C9906C5A4A6F",
"versionEndExcluding": "1.8.29",
"versionStartIncluding": "1.2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "MyBB before 1.8.29 allows Remote Code Injection by an admin with the \"Can manage settings?\" permission. The Admin CP\u0027s Settings management module does not validate setting types correctly on insertion and update, making it possible to add settings of supported type \"php\" with PHP code, executed on Change Settings pages."
},
{
"lang": "es",
"value": "MyBB versiones anteriores a 1.8.29, permite una Inyecci\u00f3n de C\u00f3digo Remota por parte de un administrador con el permiso \"Can manage settings?\". El m\u00f3dulo de administraci\u00f3n de configuraciones del CP del Administrador no comprueba correctamente los tipos de configuraciones al insertarlas y actualizarlas, haciendo posible a\u00f1adir configuraciones del tipo \"php\" con c\u00f3digo PHP, ejecutado en las p\u00e1ginas de cambio de configuraciones"
}
],
"id": "CVE-2021-43281",
"lastModified": "2024-11-21T06:28:59.587",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-11-04T18:15:08.797",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/mybb/mybb/security/advisories/GHSA-8gxx-vmr9-h39p"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/mybb/mybb/security/advisories/GHSA-8gxx-vmr9-h39p"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-94"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2014-12-03 21:59
Modified
2025-04-12 10:46
Severity ?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in MyBB (aka MyBulletinBoard) 1.8.x before 1.8.2 allow remote attackers to inject arbitrary web script or HTML via the (1) type parameter to report.php, (2) signature parameter in a do_editsig action to usercp.php, or (3) title parameter in the style-templates module in an edit_template action or (4) file parameter in the config-languages module in an edit action to admin/index.php.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:mybb:1.8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E697D13C-5594-491B-B911-3B4BEA00AFCC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.8.1:*:*:*:*:*:*:*",
"matchCriteriaId": "00724054-858F-4322-8BE5-F6929CC2CAD8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in MyBB (aka MyBulletinBoard) 1.8.x before 1.8.2 allow remote attackers to inject arbitrary web script or HTML via the (1) type parameter to report.php, (2) signature parameter in a do_editsig action to usercp.php, or (3) title parameter in the style-templates module in an edit_template action or (4) file parameter in the config-languages module in an edit action to admin/index.php."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades de XSS en MyBB (tambi\u00e9n conocido como MyBulletinBoard) 1.8.x anterior a 1.8.2 permiten a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a trav\u00e9s del (1) par\u00e1metro type en report.php, (2) par\u00e1metro signature en una acci\u00f3n do_editsig en usercp.php, o (3) par\u00e1metro title en el m\u00f3dulo style-templates en una acci\u00f3n edit_template o (4) par\u00e1metro file en el m\u00f3dulo config-languages en una acci\u00f3n edit en admin/index.php."
}
],
"id": "CVE-2014-9241",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2014-12-03T21:59:11.587",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://blog.mybb.com/2014/11/13/mybb-1-8-2-released-security-release/"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://packetstormsecurity.com/files/129109/MyBB-1.8.1-Cross-Site-Scripting-SQL-Injection.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://blog.mybb.com/2014/11/13/mybb-1-8-2-released-security-release/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://packetstormsecurity.com/files/129109/MyBB-1.8.1-Cross-Site-Scripting-SQL-Injection.html"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-01-31 22:59
Modified
2025-04-20 01:37
Severity ?
Summary
The Admin control panel in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 allows remote attackers to obtain the installation path via vectors involving sending mails.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://www.openwall.com/lists/oss-security/2016/11/10/8 | Mailing List, Patch, Third Party Advisory | |
| cve@mitre.org | http://www.openwall.com/lists/oss-security/2016/11/18/1 | Mailing List, Patch, Third Party Advisory | |
| cve@mitre.org | http://www.securityfocus.com/bid/94395 | Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://blog.mybb.com/2016/03/11/mybb-1-8-7-merge-system-1-8-7-release/ | Patch, Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2016/11/10/8 | Mailing List, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2016/11/18/1 | Mailing List, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/94395 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://blog.mybb.com/2016/03/11/mybb-1-8-7-merge-system-1-8-7-release/ | Patch, Release Notes, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mybb | merge_system | * | |
| mybb | mybb | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:merge_system:*:*:*:*:*:*:*:*",
"matchCriteriaId": "716986AC-5E6D-4DDD-A553-B88981BDE788",
"versionEndIncluding": "1.8.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2212E819-C064-4963-BCD2-214F09A46902",
"versionEndIncluding": "1.8.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Admin control panel in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 allows remote attackers to obtain the installation path via vectors involving sending mails."
},
{
"lang": "es",
"value": "El panel de control Admin en MyBB (tambi\u00e9n conocido como MyBulletinBoard) en versiones anteriores a 1.8.7 y MyBB Merge System en versiones anteriores a 1.8.7 permite a los atacantes remotos obtener la ruta de instalaci\u00f3n a trav\u00e9s de vectores que implican el env\u00edo de correos."
}
],
"id": "CVE-2016-9411",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-01-31T22:59:01.377",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/10/8"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/18/1"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/94395"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Release Notes",
"Vendor Advisory"
],
"url": "https://blog.mybb.com/2016/03/11/mybb-1-8-7-merge-system-1-8-7-release/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/10/8"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/18/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/94395"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Release Notes",
"Vendor Advisory"
],
"url": "https://blog.mybb.com/2016/03/11/mybb-1-8-7-merge-system-1-8-7-release/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2012-08-13 18:55
Modified
2025-04-11 00:51
Severity ?
Summary
MyBB (aka MyBulletinBoard) before 1.6.7 allows remote attackers to obtain sensitive information via a malformed forumread cookie, which reveals the installation path in an error message.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mybb | mybb | * | |
| mybb | mybb | 1.00 | |
| mybb | mybb | 1.0 | |
| mybb | mybb | 1.0 | |
| mybb | mybb | 1.0 | |
| mybb | mybb | 1.0 | |
| mybb | mybb | 1.0 | |
| mybb | mybb | 1.0 | |
| mybb | mybb | 1.0 | |
| mybb | mybb | 1.01 | |
| mybb | mybb | 1.1.0 | |
| mybb | mybb | 1.1.1 | |
| mybb | mybb | 1.1.2 | |
| mybb | mybb | 1.1.3 | |
| mybb | mybb | 1.1.4 | |
| mybb | mybb | 1.1.5 | |
| mybb | mybb | 1.1.6 | |
| mybb | mybb | 1.1.7 | |
| mybb | mybb | 1.1.8 | |
| mybb | mybb | 1.02 | |
| mybb | mybb | 1.2.0 | |
| mybb | mybb | 1.2.1 | |
| mybb | mybb | 1.2.2 | |
| mybb | mybb | 1.2.3 | |
| mybb | mybb | 1.2.4 | |
| mybb | mybb | 1.2.5 | |
| mybb | mybb | 1.2.6 | |
| mybb | mybb | 1.2.7 | |
| mybb | mybb | 1.2.8 | |
| mybb | mybb | 1.2.9 | |
| mybb | mybb | 1.2.10 | |
| mybb | mybb | 1.2.11 | |
| mybb | mybb | 1.2.12 | |
| mybb | mybb | 1.2.13 | |
| mybb | mybb | 1.2.14 | |
| mybb | mybb | 1.03 | |
| mybb | mybb | 1.3 | |
| mybb | mybb | 1.04 | |
| mybb | mybb | 1.4.0 | |
| mybb | mybb | 1.4.1 | |
| mybb | mybb | 1.4.2 | |
| mybb | mybb | 1.4.3 | |
| mybb | mybb | 1.4.4 | |
| mybb | mybb | 1.4.5 | |
| mybb | mybb | 1.4.6 | |
| mybb | mybb | 1.4.7 | |
| mybb | mybb | 1.4.8 | |
| mybb | mybb | 1.4.9 | |
| mybb | mybb | 1.4.10 | |
| mybb | mybb | 1.4.11 | |
| mybb | mybb | 1.4.12 | |
| mybb | mybb | 1.4.13 | |
| mybb | mybb | 1.4.14 | |
| mybb | mybb | 1.4.15 | |
| mybb | mybb | 1.4.16 | |
| mybb | mybb | 1.5.1 | |
| mybb | mybb | 1.5.2 | |
| mybb | mybb | 1.6.1 | |
| mybb | mybb | 1.6.2 | |
| mybb | mybb | 1.6.3 | |
| mybb | mybb | 1.6.4 | |
| mybb | mybb | 1.6.5 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:mybb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "ACDC3261-4AA6-48DD-AF97-EF346DBC3FDD",
"versionEndIncluding": "1.6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.00:*:*:*:*:*:*:*",
"matchCriteriaId": "BD61D970-9363-4A75-A8DB-D0EBA2CF0D53",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.0:beta4:*:*:*:*:*:*",
"matchCriteriaId": "C14F8B95-1A33-4DA8-8DE4-35C7DC3590CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.0:pr1:*:*:*:*:*:*",
"matchCriteriaId": "CD7728CD-1FA0-4428-B3FC-883781A699CD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.0:pr2:*:*:*:*:*:*",
"matchCriteriaId": "0883675F-9442-49E7-8471-C205B7EA201D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "B85E419B-F9D3-4839-A15C-F22BF9DABFAC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "EAB8B860-71DC-4F45-9E2A-74BD1C2ED893",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "C67749DF-F8AF-4C88-A120-0F48307C58E1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.0:rc4:*:*:*:*:*:*",
"matchCriteriaId": "FD0820A0-5D85-446F-9B7E-F8DB258A1178",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.01:*:*:*:*:*:*:*",
"matchCriteriaId": "990E206E-5E2C-4A68-9FDF-CD47F7524054",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "CF143B59-5C78-4BF6-9368-5BCF427B4753",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "B16F6F07-F5A9-47BF-88ED-25F068B68CF6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "A8A46A48-1361-4DD3-B97D-4C4FC776D68A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "337D89AE-1B7A-4101-B1F7-DFEDF2369385",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "BE08AF25-EDB1-4DA1-B431-F0692858AAAA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "BF24E7BA-3144-4DBA-9613-A44FBE0822F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.6:*:*:*:*:*:*:*",
"matchCriteriaId": "029430A5-85BD-4258-B58D-F3DCBC625E5B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.7:*:*:*:*:*:*:*",
"matchCriteriaId": "4183DB7F-FAB3-4D90-AD87-31CA4150CFDD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.8:*:*:*:*:*:*:*",
"matchCriteriaId": "3E2B90B8-DC02-4C79-BD69-DEF79945C418",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.02:*:*:*:*:*:*:*",
"matchCriteriaId": "C5C52215-D236-4D1A-9E30-14B9676FB68A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B48D2EDF-86C2-475C-9476-E5A2D586CA0E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "B6725373-C229-4B57-BB1E-AF178E19DEB0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "36E4C84A-21D5-4C9A-85F8-45C9657CE6F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "C7E55085-E3E3-4BB8-A680-19A28D7E88F4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "AB01A9AA-AE70-46DF-815A-05D1101EE706",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "98AFD77B-A046-4AB9-B6F4-FFFF66C63C68",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.6:*:*:*:*:*:*:*",
"matchCriteriaId": "AA00D38E-AAF6-4F66-9203-5C074FC61F30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.7:*:*:*:*:*:*:*",
"matchCriteriaId": "137A8CED-BE82-462F-B83C-15F535961E74",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.8:*:*:*:*:*:*:*",
"matchCriteriaId": "D179FDB6-9B1D-438C-B512-9A5C4F869A4C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.9:*:*:*:*:*:*:*",
"matchCriteriaId": "B3E72A13-6B4A-4C7F-B8D9-A2D35E074B67",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.10:*:*:*:*:*:*:*",
"matchCriteriaId": "3A2D344F-4671-4194-A553-A5773B5DF3B1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.11:*:*:*:*:*:*:*",
"matchCriteriaId": "245760C8-DC10-47F1-843A-461AE2F3DF61",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.12:*:*:*:*:*:*:*",
"matchCriteriaId": "A055E6BF-3CAC-4C74-8E37-A89E3E0F8559",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.13:*:*:*:*:*:*:*",
"matchCriteriaId": "1121A071-3709-4B2B-ADF4-EDC560F73E0A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.14:*:*:*:*:*:*:*",
"matchCriteriaId": "71FD2842-7E00-440F-8A93-9D3F45A004DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.03:*:*:*:*:*:*:*",
"matchCriteriaId": "F6ABDEE8-D463-47CA-998D-33472F3382F3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.3:pre-1.0:*:*:*:*:*:*",
"matchCriteriaId": "16C45BFE-A083-4DC8-A2E5-9BCE543F5AE4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.04:*:*:*:*:*:*:*",
"matchCriteriaId": "DE44965F-F968-4CD2-9F21-1E1A92F5F7F2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "3FC8864E-161F-408E-93D6-693A9238C494",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "4C5965DE-D9B6-4074-B14B-ABCAAAAB872B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "9503D6C2-DCBC-4720-BE29-34913950407E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.3:*:*:*:*:*:*:*",
"matchCriteriaId": "0F6FC2B1-45DF-439E-8BAE-A15A08E7D9F7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.4:*:*:*:*:*:*:*",
"matchCriteriaId": "853E94FE-A56F-44B0-87FE-DE5927B7A547",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.5:*:*:*:*:*:*:*",
"matchCriteriaId": "49C7F758-9E38-4870-85C3-11E350F96641",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.6:*:*:*:*:*:*:*",
"matchCriteriaId": "B46B7E13-51F8-4950-BBB4-A03B8E5B4750",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.7:*:*:*:*:*:*:*",
"matchCriteriaId": "58C9C804-6901-412C-B178-183417BD5C04",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.8:*:*:*:*:*:*:*",
"matchCriteriaId": "A00F1254-67DE-436D-AB83-1C55639BDBD2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.9:*:*:*:*:*:*:*",
"matchCriteriaId": "AC2FDC2B-2CB4-433F-9290-3A6BE0A929B5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.10:*:*:*:*:*:*:*",
"matchCriteriaId": "1FF9452B-CF4B-45F0-8487-23D9CCBB1A4A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.11:*:*:*:*:*:*:*",
"matchCriteriaId": "2021275B-D61A-4309-8876-5354E115CB29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.12:*:*:*:*:*:*:*",
"matchCriteriaId": "7925DEA1-8062-45C9-94E7-19D8FACEAFCD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.13:*:*:*:*:*:*:*",
"matchCriteriaId": "D35E537F-0F49-40AB-9E97-7898D91353D1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.14:*:*:*:*:*:*:*",
"matchCriteriaId": "BCDC1181-A2B7-4D1B-B2BF-DAC9E58E88C3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.15:*:*:*:*:*:*:*",
"matchCriteriaId": "57C37D10-B945-4674-A846-BCEC573FF93C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.16:*:*:*:*:*:*:*",
"matchCriteriaId": "4FD245B9-1381-4A1B-AF47-F28349FA6F52",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "2AFD7848-56E4-4608-82E7-CFF46A8809AC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "CC489F94-3545-4E1A-AE9E-B88EB1A7D516",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.6.1:*:*:*:*:*:*:*",
"matchCriteriaId": "FBEB75D4-FAA4-4A5B-AA0A-57EE8EE88E61",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.6.2:*:*:*:*:*:*:*",
"matchCriteriaId": "00E51ABC-9F77-4028-BE47-D5BFD4FEC749",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.6.3:*:*:*:*:*:*:*",
"matchCriteriaId": "E0BD20D9-0DFC-451F-9C71-38C6D0236CF2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.6.4:*:*:*:*:*:*:*",
"matchCriteriaId": "FDFE35CB-05CC-4E6F-B188-1141773E7F10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.6.5:*:*:*:*:*:*:*",
"matchCriteriaId": "22A90F66-DAE9-45FC-B255-390D569CCC56",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "MyBB (aka MyBulletinBoard) before 1.6.7 allows remote attackers to obtain sensitive information via a malformed forumread cookie, which reveals the installation path in an error message."
},
{
"lang": "es",
"value": "MyBB (tambi\u00e9n conocido como MyBulletinBoard) antes de v1.6.7 permite a atacantes remotos obtener informaci\u00f3n sensible a trav\u00e9s de una cookie forumread incorrecta, lo cual revela la ruta de instalaci\u00f3n en un mensaje de error.\r\n"
}
],
"id": "CVE-2012-2327",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2012-08-13T18:55:03.630",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://blog.mybb.com/2012/04/01/mybb-1-6-7-update-1-8-development/"
},
{
"source": "secalert@redhat.com",
"url": "http://www.openwall.com/lists/oss-security/2012/05/07/13"
},
{
"source": "secalert@redhat.com",
"url": "http://www.openwall.com/lists/oss-security/2012/05/07/14"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/bid/53417"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://blog.mybb.com/2012/04/01/mybb-1-6-7-update-1-8-development/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2012/05/07/13"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2012/05/07/14"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/53417"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-01-31 22:59
Modified
2025-04-20 01:37
Severity ?
Summary
SQL injection vulnerability in the moderation tool in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 might allow remote attackers to execute arbitrary SQL commands via unspecified vectors.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://www.openwall.com/lists/oss-security/2016/11/10/8 | Mailing List, Patch, Third Party Advisory | |
| cve@mitre.org | http://www.openwall.com/lists/oss-security/2016/11/18/1 | Mailing List, Patch, Third Party Advisory | |
| cve@mitre.org | http://www.securityfocus.com/bid/94395 | Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://blog.mybb.com/2016/03/11/mybb-1-8-7-merge-system-1-8-7-release/ | Patch, Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2016/11/10/8 | Mailing List, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2016/11/18/1 | Mailing List, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/94395 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://blog.mybb.com/2016/03/11/mybb-1-8-7-merge-system-1-8-7-release/ | Patch, Release Notes, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mybb | merge_system | * | |
| mybb | mybb | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:merge_system:*:*:*:*:*:*:*:*",
"matchCriteriaId": "716986AC-5E6D-4DDD-A553-B88981BDE788",
"versionEndIncluding": "1.8.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2212E819-C064-4963-BCD2-214F09A46902",
"versionEndIncluding": "1.8.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in the moderation tool in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 might allow remote attackers to execute arbitrary SQL commands via unspecified vectors."
},
{
"lang": "es",
"value": "Vulnerabilidad de inyecci\u00f3n SQL en la herramienta de moderaci\u00f3n en MyBB (tambi\u00e9n conocido como MyBulletinBoard) en versiones anteriores a 1.8.7 y MyBB Merge System en versiones anteriores a 1.8.7 podr\u00edan permitir a atacantes remotos ejecutar comandos SQL arbitrarios a trav\u00e9s de vectores no especificados."
}
],
"id": "CVE-2016-9402",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-01-31T22:59:01.017",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/10/8"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/18/1"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/94395"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Release Notes",
"Vendor Advisory"
],
"url": "https://blog.mybb.com/2016/03/11/mybb-1-8-7-merge-system-1-8-7-release/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/10/8"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/18/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/94395"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Release Notes",
"Vendor Advisory"
],
"url": "https://blog.mybb.com/2016/03/11/mybb-1-8-7-merge-system-1-8-7-release/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-06-06 19:29
Modified
2025-06-30 16:51
Severity ?
Summary
MyBB 1.8.19 allows remote attackers to obtain sensitive information because it discloses the username upon receiving a password-reset request that lacks the code parameter.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://blog.mybb.com/ | Release Notes, Vendor Advisory | |
| cve@mitre.org | https://blog.mybb.com/2019/02/27/mybb-1-8-20-released-security-maintenance-release/ | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://blog.mybb.com/ | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://blog.mybb.com/2019/02/27/mybb-1-8-20-released-security-maintenance-release/ | Release Notes, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:mybb:1.8.19:*:*:*:*:*:*:*",
"matchCriteriaId": "41FE43D0-F03B-4A54-A59E-5C06D4A56ABD",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "MyBB 1.8.19 allows remote attackers to obtain sensitive information because it discloses the username upon receiving a password-reset request that lacks the code parameter."
},
{
"lang": "es",
"value": "MyBB 1.8.19 permite que los atacantes remotos puedan obtener informaci\u00f3n confidencial porque revelar el nombre de usuario al recibir una petici\u00f3n de restablecimiento de contrase\u00f1a que carece de los par\u00e1metros de c\u00f3digo"
}
],
"id": "CVE-2019-3579",
"lastModified": "2025-06-30T16:51:43.607",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-06-06T19:29:00.657",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://blog.mybb.com/"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://blog.mybb.com/2019/02/27/mybb-1-8-20-released-security-maintenance-release/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://blog.mybb.com/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://blog.mybb.com/2019/02/27/mybb-1-8-20-released-security-maintenance-release/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-08-31 14:15
Modified
2024-11-21 05:08
Severity ?
Summary
Cross Site Scripting (XSS) in MyBB v1.8.20 allows remote attackers to inject arbitrary web script or HTML via the "Description" field found in the "Add New Forum" page by doing an authenticated POST HTTP request to '/Upload/admin/index.php?module=forum-management&action=add'.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/joelister/bug/issues/2 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/joelister/bug/issues/2 | Exploit, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:mybb:1.8.20:*:*:*:*:*:*:*",
"matchCriteriaId": "9588B1DB-5ED6-43CE-8B95-78989C75A59E",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross Site Scripting (XSS) in MyBB v1.8.20 allows remote attackers to inject arbitrary web script or HTML via the \"Description\" field found in the \"Add New Forum\" page by doing an authenticated POST HTTP request to \u0027/Upload/admin/index.php?module=forum-management\u0026action=add\u0027."
},
{
"lang": "es",
"value": "Una vulnerabilidad de tipo Cross Site Scripting (XSS) en MyBB versi\u00f3n v1.8.20, permite a atacantes remotos inyectar script web o HTML arbitrario por medio del campo \"Description\" que se encuentra en la p\u00e1gina \"Add New Forum\" haciendo una petici\u00f3n HTTP POST autenticada a \"/Upload/admin/index.php?module=forum-management\u0026amp;action=add\""
}
],
"id": "CVE-2020-19049",
"lastModified": "2024-11-21T05:08:56.127",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-08-31T14:15:25.390",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/joelister/bug/issues/2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/joelister/bug/issues/2"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2012-08-13 18:55
Modified
2025-04-11 00:51
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in the Admin Control Panel (ACP) in MyBB (aka MyBulletinBoard) before 1.6.7 allows remote administrators to inject arbitrary web script or HTML via a malformed file name in an orphaned attachment.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mybb | mybb | * | |
| mybb | mybb | 1.00 | |
| mybb | mybb | 1.0 | |
| mybb | mybb | 1.0 | |
| mybb | mybb | 1.0 | |
| mybb | mybb | 1.0 | |
| mybb | mybb | 1.0 | |
| mybb | mybb | 1.0 | |
| mybb | mybb | 1.0 | |
| mybb | mybb | 1.01 | |
| mybb | mybb | 1.1.0 | |
| mybb | mybb | 1.1.1 | |
| mybb | mybb | 1.1.2 | |
| mybb | mybb | 1.1.3 | |
| mybb | mybb | 1.1.4 | |
| mybb | mybb | 1.1.5 | |
| mybb | mybb | 1.1.6 | |
| mybb | mybb | 1.1.7 | |
| mybb | mybb | 1.1.8 | |
| mybb | mybb | 1.02 | |
| mybb | mybb | 1.2.0 | |
| mybb | mybb | 1.2.1 | |
| mybb | mybb | 1.2.2 | |
| mybb | mybb | 1.2.3 | |
| mybb | mybb | 1.2.4 | |
| mybb | mybb | 1.2.5 | |
| mybb | mybb | 1.2.6 | |
| mybb | mybb | 1.2.7 | |
| mybb | mybb | 1.2.8 | |
| mybb | mybb | 1.2.9 | |
| mybb | mybb | 1.2.10 | |
| mybb | mybb | 1.2.11 | |
| mybb | mybb | 1.2.12 | |
| mybb | mybb | 1.2.13 | |
| mybb | mybb | 1.2.14 | |
| mybb | mybb | 1.03 | |
| mybb | mybb | 1.3 | |
| mybb | mybb | 1.04 | |
| mybb | mybb | 1.4.0 | |
| mybb | mybb | 1.4.1 | |
| mybb | mybb | 1.4.2 | |
| mybb | mybb | 1.4.3 | |
| mybb | mybb | 1.4.4 | |
| mybb | mybb | 1.4.5 | |
| mybb | mybb | 1.4.6 | |
| mybb | mybb | 1.4.7 | |
| mybb | mybb | 1.4.8 | |
| mybb | mybb | 1.4.9 | |
| mybb | mybb | 1.4.10 | |
| mybb | mybb | 1.4.11 | |
| mybb | mybb | 1.4.12 | |
| mybb | mybb | 1.4.13 | |
| mybb | mybb | 1.4.14 | |
| mybb | mybb | 1.4.15 | |
| mybb | mybb | 1.4.16 | |
| mybb | mybb | 1.5.1 | |
| mybb | mybb | 1.5.2 | |
| mybb | mybb | 1.6.1 | |
| mybb | mybb | 1.6.2 | |
| mybb | mybb | 1.6.3 | |
| mybb | mybb | 1.6.4 | |
| mybb | mybb | 1.6.5 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:mybb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "ACDC3261-4AA6-48DD-AF97-EF346DBC3FDD",
"versionEndIncluding": "1.6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.00:*:*:*:*:*:*:*",
"matchCriteriaId": "BD61D970-9363-4A75-A8DB-D0EBA2CF0D53",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.0:beta4:*:*:*:*:*:*",
"matchCriteriaId": "C14F8B95-1A33-4DA8-8DE4-35C7DC3590CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.0:pr1:*:*:*:*:*:*",
"matchCriteriaId": "CD7728CD-1FA0-4428-B3FC-883781A699CD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.0:pr2:*:*:*:*:*:*",
"matchCriteriaId": "0883675F-9442-49E7-8471-C205B7EA201D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "B85E419B-F9D3-4839-A15C-F22BF9DABFAC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "EAB8B860-71DC-4F45-9E2A-74BD1C2ED893",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "C67749DF-F8AF-4C88-A120-0F48307C58E1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.0:rc4:*:*:*:*:*:*",
"matchCriteriaId": "FD0820A0-5D85-446F-9B7E-F8DB258A1178",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.01:*:*:*:*:*:*:*",
"matchCriteriaId": "990E206E-5E2C-4A68-9FDF-CD47F7524054",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "CF143B59-5C78-4BF6-9368-5BCF427B4753",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "B16F6F07-F5A9-47BF-88ED-25F068B68CF6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "A8A46A48-1361-4DD3-B97D-4C4FC776D68A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "337D89AE-1B7A-4101-B1F7-DFEDF2369385",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "BE08AF25-EDB1-4DA1-B431-F0692858AAAA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "BF24E7BA-3144-4DBA-9613-A44FBE0822F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.6:*:*:*:*:*:*:*",
"matchCriteriaId": "029430A5-85BD-4258-B58D-F3DCBC625E5B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.7:*:*:*:*:*:*:*",
"matchCriteriaId": "4183DB7F-FAB3-4D90-AD87-31CA4150CFDD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.8:*:*:*:*:*:*:*",
"matchCriteriaId": "3E2B90B8-DC02-4C79-BD69-DEF79945C418",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.02:*:*:*:*:*:*:*",
"matchCriteriaId": "C5C52215-D236-4D1A-9E30-14B9676FB68A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B48D2EDF-86C2-475C-9476-E5A2D586CA0E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "B6725373-C229-4B57-BB1E-AF178E19DEB0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "36E4C84A-21D5-4C9A-85F8-45C9657CE6F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "C7E55085-E3E3-4BB8-A680-19A28D7E88F4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "AB01A9AA-AE70-46DF-815A-05D1101EE706",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "98AFD77B-A046-4AB9-B6F4-FFFF66C63C68",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.6:*:*:*:*:*:*:*",
"matchCriteriaId": "AA00D38E-AAF6-4F66-9203-5C074FC61F30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.7:*:*:*:*:*:*:*",
"matchCriteriaId": "137A8CED-BE82-462F-B83C-15F535961E74",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.8:*:*:*:*:*:*:*",
"matchCriteriaId": "D179FDB6-9B1D-438C-B512-9A5C4F869A4C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.9:*:*:*:*:*:*:*",
"matchCriteriaId": "B3E72A13-6B4A-4C7F-B8D9-A2D35E074B67",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.10:*:*:*:*:*:*:*",
"matchCriteriaId": "3A2D344F-4671-4194-A553-A5773B5DF3B1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.11:*:*:*:*:*:*:*",
"matchCriteriaId": "245760C8-DC10-47F1-843A-461AE2F3DF61",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.12:*:*:*:*:*:*:*",
"matchCriteriaId": "A055E6BF-3CAC-4C74-8E37-A89E3E0F8559",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.13:*:*:*:*:*:*:*",
"matchCriteriaId": "1121A071-3709-4B2B-ADF4-EDC560F73E0A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.14:*:*:*:*:*:*:*",
"matchCriteriaId": "71FD2842-7E00-440F-8A93-9D3F45A004DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.03:*:*:*:*:*:*:*",
"matchCriteriaId": "F6ABDEE8-D463-47CA-998D-33472F3382F3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.3:pre-1.0:*:*:*:*:*:*",
"matchCriteriaId": "16C45BFE-A083-4DC8-A2E5-9BCE543F5AE4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.04:*:*:*:*:*:*:*",
"matchCriteriaId": "DE44965F-F968-4CD2-9F21-1E1A92F5F7F2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "3FC8864E-161F-408E-93D6-693A9238C494",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "4C5965DE-D9B6-4074-B14B-ABCAAAAB872B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "9503D6C2-DCBC-4720-BE29-34913950407E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.3:*:*:*:*:*:*:*",
"matchCriteriaId": "0F6FC2B1-45DF-439E-8BAE-A15A08E7D9F7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.4:*:*:*:*:*:*:*",
"matchCriteriaId": "853E94FE-A56F-44B0-87FE-DE5927B7A547",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.5:*:*:*:*:*:*:*",
"matchCriteriaId": "49C7F758-9E38-4870-85C3-11E350F96641",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.6:*:*:*:*:*:*:*",
"matchCriteriaId": "B46B7E13-51F8-4950-BBB4-A03B8E5B4750",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.7:*:*:*:*:*:*:*",
"matchCriteriaId": "58C9C804-6901-412C-B178-183417BD5C04",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.8:*:*:*:*:*:*:*",
"matchCriteriaId": "A00F1254-67DE-436D-AB83-1C55639BDBD2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.9:*:*:*:*:*:*:*",
"matchCriteriaId": "AC2FDC2B-2CB4-433F-9290-3A6BE0A929B5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.10:*:*:*:*:*:*:*",
"matchCriteriaId": "1FF9452B-CF4B-45F0-8487-23D9CCBB1A4A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.11:*:*:*:*:*:*:*",
"matchCriteriaId": "2021275B-D61A-4309-8876-5354E115CB29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.12:*:*:*:*:*:*:*",
"matchCriteriaId": "7925DEA1-8062-45C9-94E7-19D8FACEAFCD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.13:*:*:*:*:*:*:*",
"matchCriteriaId": "D35E537F-0F49-40AB-9E97-7898D91353D1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.14:*:*:*:*:*:*:*",
"matchCriteriaId": "BCDC1181-A2B7-4D1B-B2BF-DAC9E58E88C3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.15:*:*:*:*:*:*:*",
"matchCriteriaId": "57C37D10-B945-4674-A846-BCEC573FF93C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.16:*:*:*:*:*:*:*",
"matchCriteriaId": "4FD245B9-1381-4A1B-AF47-F28349FA6F52",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "2AFD7848-56E4-4608-82E7-CFF46A8809AC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "CC489F94-3545-4E1A-AE9E-B88EB1A7D516",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.6.1:*:*:*:*:*:*:*",
"matchCriteriaId": "FBEB75D4-FAA4-4A5B-AA0A-57EE8EE88E61",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.6.2:*:*:*:*:*:*:*",
"matchCriteriaId": "00E51ABC-9F77-4028-BE47-D5BFD4FEC749",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.6.3:*:*:*:*:*:*:*",
"matchCriteriaId": "E0BD20D9-0DFC-451F-9C71-38C6D0236CF2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.6.4:*:*:*:*:*:*:*",
"matchCriteriaId": "FDFE35CB-05CC-4E6F-B188-1141773E7F10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.6.5:*:*:*:*:*:*:*",
"matchCriteriaId": "22A90F66-DAE9-45FC-B255-390D569CCC56",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the Admin Control Panel (ACP) in MyBB (aka MyBulletinBoard) before 1.6.7 allows remote administrators to inject arbitrary web script or HTML via a malformed file name in an orphaned attachment."
},
{
"lang": "es",
"value": "Una vulnerabilidad de ejecuci\u00f3n de comandos en sitios cruzados (XSS) en el Panel de control de administraci\u00f3n (ACP) en MyBB (Tambi\u00e9n conocido como MyBulletinBoard) antes de v1.6.7 permite a los administradores remotos inyectar secuencias de comandos web o HTML a trav\u00e9s de un nombre de archivo con formato incorrecto en un archivo adjunto hu\u00e9rfano.\r\n"
}
],
"id": "CVE-2012-2326",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2012-08-13T18:55:03.567",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://blog.mybb.com/2012/04/01/mybb-1-6-7-update-1-8-development/"
},
{
"source": "secalert@redhat.com",
"url": "http://www.openwall.com/lists/oss-security/2012/05/07/13"
},
{
"source": "secalert@redhat.com",
"url": "http://www.openwall.com/lists/oss-security/2012/05/07/14"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/bid/53417"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://blog.mybb.com/2012/04/01/mybb-1-6-7-update-1-8-development/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2012/05/07/13"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2012/05/07/14"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/53417"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-08-31 14:15
Modified
2024-11-21 05:08
Severity ?
Summary
Cross Site Scripting (XSS) in MyBB v1.8.20 allows remote attackers to inject arbitrary web script or HTML via the "Title" field found in the "Add New Forum" page by doing an authenticated POST HTTP request to '/Upload/admin/index.php?module=forum-management&action=add'.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/joelister/bug/issues/1 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/joelister/bug/issues/1 | Exploit, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:mybb:1.8.20:*:*:*:*:*:*:*",
"matchCriteriaId": "9588B1DB-5ED6-43CE-8B95-78989C75A59E",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross Site Scripting (XSS) in MyBB v1.8.20 allows remote attackers to inject arbitrary web script or HTML via the \"Title\" field found in the \"Add New Forum\" page by doing an authenticated POST HTTP request to \u0027/Upload/admin/index.php?module=forum-management\u0026action=add\u0027."
},
{
"lang": "es",
"value": "Una vulnerabilidad de tipo Cross Site Scripting (XSS) en MyBB versi\u00f3n v1.8.20, permite a atacantes remotos inyectar script web o HTML arbitrario por medio del campo \"Title\" que se encuentra en la p\u00e1gina \"Add New Forum\" haciendo una petici\u00f3n HTTP POST autenticada a \"/Upload/admin/index.php?module=forum-management\u0026amp;action=add\""
}
],
"id": "CVE-2020-19048",
"lastModified": "2024-11-21T05:08:55.980",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-08-31T14:15:25.343",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/joelister/bug/issues/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/joelister/bug/issues/1"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2011-11-29 11:55
Modified
2025-04-11 00:51
Severity ?
Summary
SQL injection vulnerability in userbarsettings.php in the Userbar plugin 2.2 for MyBB Forum allows remote attackers to execute arbitrary SQL commands via the image2 parameter.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| tom_k | forum_userbar_plugin | 2.2 | |
| mybb | mybb | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:tom_k:forum_userbar_plugin:2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "B6E124EE-8A80-4E32-8055-818E10BDC548",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:mybb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "535910EE-CF4E-4249-B8BB-1972656D56CB",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in userbarsettings.php in the Userbar plugin 2.2 for MyBB Forum allows remote attackers to execute arbitrary SQL commands via the image2 parameter."
},
{
"lang": "es",
"value": "Vulnerabilidad de inyecci\u00f3n SQL en userbarsettings.php en el complemento Userbar v2.2 para MyBB Forum permite a atacantes remotos ejecutar comandos SQL de su elecci\u00f3n a trav\u00e9s del par\u00e1metro image2."
}
],
"id": "CVE-2011-4569",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2011-11-29T11:55:05.837",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://www.exploit-db.com/exploits/17962"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://www.securityfocus.com/bid/50049"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/70474"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.exploit-db.com/exploits/17962"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.securityfocus.com/bid/50049"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/70474"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-01-31 22:59
Modified
2025-04-20 01:37
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in the User control panel in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 might allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://www.openwall.com/lists/oss-security/2016/11/10/8 | Mailing List, Patch, Third Party Advisory | |
| cve@mitre.org | http://www.openwall.com/lists/oss-security/2016/11/18/1 | Mailing List, Patch, Third Party Advisory | |
| cve@mitre.org | http://www.securityfocus.com/bid/94395 | Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://blog.mybb.com/2016/03/11/mybb-1-8-7-merge-system-1-8-7-release/ | Patch, Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2016/11/10/8 | Mailing List, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2016/11/18/1 | Mailing List, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/94395 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://blog.mybb.com/2016/03/11/mybb-1-8-7-merge-system-1-8-7-release/ | Patch, Release Notes, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mybb | merge_system | * | |
| mybb | mybb | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:merge_system:*:*:*:*:*:*:*:*",
"matchCriteriaId": "716986AC-5E6D-4DDD-A553-B88981BDE788",
"versionEndIncluding": "1.8.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2212E819-C064-4963-BCD2-214F09A46902",
"versionEndIncluding": "1.8.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the User control panel in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 might allow remote attackers to inject arbitrary web script or HTML via unspecified vectors."
},
{
"lang": "es",
"value": "Vulnerabilidad de XSS en el panel de control de User en MyBB (tambi\u00e9n conocido como MyBulletinBoard) en versiones anteriores a 1.8.7 y MyBB Merge System en versiones anteriores a 1.8.7 podr\u00edan permitir a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a trav\u00e9s de vectores no especificados."
}
],
"id": "CVE-2016-9406",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-01-31T22:59:01.173",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/10/8"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/18/1"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/94395"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Release Notes",
"Vendor Advisory"
],
"url": "https://blog.mybb.com/2016/03/11/mybb-1-8-7-merge-system-1-8-7-release/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/10/8"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/18/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/94395"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Release Notes",
"Vendor Advisory"
],
"url": "https://blog.mybb.com/2016/03/11/mybb-1-8-7-merge-system-1-8-7-release/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-03-09 22:15
Modified
2024-11-21 06:50
Severity ?
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Summary
MyBB is a free and open source forum software. In affected versions the Admin CP's Settings management module does not validate setting types correctly on insertion and update, making it possible to add settings of supported type `php` with PHP code, executed on on _Change Settings_ pages. This results in a Remote Code Execution (RCE) vulnerability. The vulnerable module requires Admin CP access with the `Can manage settings?` permission. MyBB's Settings module, which allows administrators to add, edit, and delete non-default settings, stores setting data in an options code string ($options_code; mybb_settings.optionscode database column) that identifies the setting type and its options, separated by a new line character (\n). In MyBB 1.2.0, support for setting type php was added, for which the remaining part of the options code is PHP code executed on Change Settings pages (reserved for plugins and internal use). MyBB 1.8.30 resolves this issue. There are no known workarounds.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:mybb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "362CD6E4-2CC7-42AF-AAAA-5C3A6D47929E",
"versionEndExcluding": "1.8.30",
"versionStartIncluding": "1.2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "MyBB is a free and open source forum software. In affected versions the Admin CP\u0027s Settings management module does not validate setting types correctly on insertion and update, making it possible to add settings of supported type `php` with PHP code, executed on on _Change Settings_ pages. This results in a Remote Code Execution (RCE) vulnerability. The vulnerable module requires Admin CP access with the `Can manage settings?` permission. MyBB\u0027s Settings module, which allows administrators to add, edit, and delete non-default settings, stores setting data in an options code string ($options_code; mybb_settings.optionscode database column) that identifies the setting type and its options, separated by a new line character (\\n). In MyBB 1.2.0, support for setting type php was added, for which the remaining part of the options code is PHP code executed on Change Settings pages (reserved for plugins and internal use). MyBB 1.8.30 resolves this issue. There are no known workarounds."
},
{
"lang": "es",
"value": "MyBB es un software de foros gratuito y de c\u00f3digo abierto. En las versiones afectadas, el m\u00f3dulo de gesti\u00f3n de configuraciones del CP de administraci\u00f3n no valida correctamente los tipos de configuraciones en la inserci\u00f3n y actualizaci\u00f3n, lo que hace posible a\u00f1adir configuraciones de tipo soportado `php` con c\u00f3digo PHP, ejecutado en las p\u00e1ginas de _Cambio de Configuraciones_. Esto resulta en una vulnerabilidad de Ejecuci\u00f3n Remota de C\u00f3digo (RCE). El m\u00f3dulo vulnerable requiere el acceso al CP de administrador con el permiso `Can manage settings?`. El m\u00f3dulo de configuraci\u00f3n de MyBB, que permite a los administradores a\u00f1adir, editar y eliminar configuraciones no predeterminadas, almacena los datos de configuraci\u00f3n en una cadena de c\u00f3digo de opciones ($options_code; columna de la base de datos mybb_settings.optionscode) que identifica el tipo de configuraci\u00f3n y sus opciones, separadas por un car\u00e1cter de nueva l\u00ednea (\\n). En MyBB 1.2.0, se a\u00f1adi\u00f3 soporte para el tipo de configuraci\u00f3n php, para el cual la parte restante del c\u00f3digo de opciones es c\u00f3digo PHP ejecutado en las p\u00e1ginas de cambio de configuraci\u00f3n (reservado para plugins y uso interno). MyBB 1.8.30 resuelve este problema. No se presentan medidas de mitigaci\u00f3n conocidas"
}
],
"id": "CVE-2022-24734",
"lastModified": "2024-11-21T06:50:58.673",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-03-09T22:15:09.363",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/167082/MyBB-1.8.29-Remote-Code-Execution.html"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "http://packetstormsecurity.com/files/167333/MyBB-Admin-Control-Remote-Code-Execution.html"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/mybb/mybb/commit/92012b9831b330714b9f9b4646a98784113489c1"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/mybb/mybb/security/advisories/GHSA-876v-gwgh-w57f"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://mybb.com/versions/1.8.30/"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory",
"VDB Entry",
"Vendor Advisory"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-22-503/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/167082/MyBB-1.8.29-Remote-Code-Execution.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "http://packetstormsecurity.com/files/167333/MyBB-Admin-Control-Remote-Code-Execution.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/mybb/mybb/commit/92012b9831b330714b9f9b4646a98784113489c1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/mybb/mybb/security/advisories/GHSA-876v-gwgh-w57f"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://mybb.com/versions/1.8.30/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry",
"Vendor Advisory"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-22-503/"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-94"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-94"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2015-09-03 17:59
Modified
2025-04-12 10:46
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in the quick edit function in xmlhttp.php in MyBB (aka MyBulletinBoard) before 1.8.5 allows remote attackers to inject arbitrary web script or HTML via the content of a post.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:mybb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "171A772D-0FDB-4ADD-A4C4-C8E849D8B255",
"versionEndIncluding": "1.8.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the quick edit function in xmlhttp.php in MyBB (aka MyBulletinBoard) before 1.8.5 allows remote attackers to inject arbitrary web script or HTML via the content of a post."
},
{
"lang": "es",
"value": "Vulnerabilidad de XSS en la funci\u00f3n de edici\u00f3n r\u00e1pida en xmlhttp.php en MyBB (tambi\u00e9n conocida como MyBulletinBoard) en versiones anteriores a 1.8.5, permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a trav\u00e9s del contenido de una post."
}
],
"id": "CVE-2015-4552",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2015-09-03T17:59:01.397",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://adrianhayter.com/exploits.php"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://blog.mybb.com/2015/05/27/mybb-1-8-5-1-6-17-merge-system-1-8-5-release/"
},
{
"source": "cve@mitre.org",
"url": "http://www.securitytracker.com/id/1033471"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://adrianhayter.com/exploits.php"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://blog.mybb.com/2015/05/27/mybb-1-8-5-1-6-17-merge-system-1-8-5-release/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securitytracker.com/id/1033471"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2008-11-04 21:00
Modified
2025-04-09 00:30
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in the redirect function in functions.php in MyBB (aka MyBulletinBoard) 1.4.2 allows remote attackers to inject arbitrary web script or HTML via the url parameter in a removesubscriptions action to moderation.php, related to use of the ajax option to request a JavaScript redirect. NOTE: this can be leveraged to execute PHP code and bypass cross-site request forgery (CSRF) protection.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "9503D6C2-DCBC-4720-BE29-34913950407E",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the redirect function in functions.php in MyBB (aka MyBulletinBoard) 1.4.2 allows remote attackers to inject arbitrary web script or HTML via the url parameter in a removesubscriptions action to moderation.php, related to use of the ajax option to request a JavaScript redirect. NOTE: this can be leveraged to execute PHP code and bypass cross-site request forgery (CSRF) protection."
},
{
"lang": "es",
"value": "Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en la funci\u00f3n \"redirect\" de functions.php de MyBB (tambi\u00e9n conocido como MyBulletinBoard) v1.4.2; permite a atacantes remotos inyectar secuencias de comandos Web o HTML a trav\u00e9s del par\u00e1metro \"url\" en una acci\u00f3n \"removesubscriptions\" (eliminar las suscripciones) de moderation.php. Est\u00e1 relacionado con el uso de la opci\u00f3n ajax para solicitar una redirecci\u00f3n JavaScript. NOTA: Esto puede ser empleado para ejecutar c\u00f3digo PHP y evitar la protecci\u00f3n de falsificaci\u00f3n de petici\u00f3n en sitios cruzados (CSRF)."
}
],
"id": "CVE-2008-4928",
"lastModified": "2025-04-09T00:30:58.490",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2008-11-04T21:00:05.907",
"references": [
{
"source": "cve@mitre.org",
"url": "http://archives.neohapsis.com/archives/bugtraq/2008-10/0203.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://archives.neohapsis.com/archives/bugtraq/2008-10/0212.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://archives.neohapsis.com/archives/fulldisclosure/2008-10/0472.html"
},
{
"source": "cve@mitre.org",
"url": "http://www.openwall.com/lists/oss-security/2008/11/01/2"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/31935"
},
{
"source": "cve@mitre.org",
"url": "http://www.vupen.com/english/advisories/2008/2967"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://archives.neohapsis.com/archives/bugtraq/2008-10/0203.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://archives.neohapsis.com/archives/bugtraq/2008-10/0212.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://archives.neohapsis.com/archives/fulldisclosure/2008-10/0472.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2008/11/01/2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/31935"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2008/2967"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2014-08-14 18:47
Modified
2025-04-12 10:46
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in MyBB before 1.6.15 allows remote attackers to inject arbitrary web script or HTML via vectors related to video MyCode.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:mybb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "64B78C22-D24E-4B6E-9DE8-2F4E0DF876A9",
"versionEndIncluding": "1.6.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E5B50C36-C3D7-48FD-805B-4A94E727C93F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.6.1:*:*:*:*:*:*:*",
"matchCriteriaId": "FBEB75D4-FAA4-4A5B-AA0A-57EE8EE88E61",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.6.2:*:*:*:*:*:*:*",
"matchCriteriaId": "00E51ABC-9F77-4028-BE47-D5BFD4FEC749",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.6.3:*:*:*:*:*:*:*",
"matchCriteriaId": "E0BD20D9-0DFC-451F-9C71-38C6D0236CF2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.6.4:*:*:*:*:*:*:*",
"matchCriteriaId": "FDFE35CB-05CC-4E6F-B188-1141773E7F10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.6.5:*:*:*:*:*:*:*",
"matchCriteriaId": "22A90F66-DAE9-45FC-B255-390D569CCC56",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.6.6:*:*:*:*:*:*:*",
"matchCriteriaId": "E1A3FDDB-9488-405B-A2A0-500CF49061BE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.6.7:*:*:*:*:*:*:*",
"matchCriteriaId": "04264BC5-425C-47D4-9EE0-35BF11B904F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.6.8:*:*:*:*:*:*:*",
"matchCriteriaId": "5E42628F-7E7F-4E3A-BB8E-699166CB86B3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.6.9:*:*:*:*:*:*:*",
"matchCriteriaId": "A02FA2FA-E035-40CD-9C0F-A143A931D40D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.6.10:*:*:*:*:*:*:*",
"matchCriteriaId": "F52B8848-9103-4A78-A45B-6BE73855647A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.6.11:*:*:*:*:*:*:*",
"matchCriteriaId": "C7170B92-1D43-49CA-BC79-469F0C8965D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.6.12:*:*:*:*:*:*:*",
"matchCriteriaId": "0B8D20CC-DBF2-490F-ACF7-06805BA13FF6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.6.13:*:*:*:*:*:*:*",
"matchCriteriaId": "C697DCFB-B3ED-407E-8926-5ABA9DB372FF",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in MyBB before 1.6.15 allows remote attackers to inject arbitrary web script or HTML via vectors related to video MyCode."
},
{
"lang": "es",
"value": "Vulnerabilidad de XSS en MyBB anterior a 1.6.15 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a traves de vectores relacionados con video MyCode."
}
],
"id": "CVE-2014-5248",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2014-08-14T18:47:06.817",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://blog.mybb.com/2014/08/04/mybb-1-6-15-released-security-maintenance-release"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/59707"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://blog.mybb.com/2014/08/04/mybb-1-6-15-released-security-maintenance-release"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/59707"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2010-12-30 21:00
Modified
2025-04-11 00:51
Severity ?
Summary
MyBB (aka MyBulletinBoard) before 1.4.12 does not properly handle a configuration with a visible forum that contains hidden threads, which allows remote attackers to obtain sensitive information by reading the Latest Threads block of the Portal Page.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mybb | mybb | * | |
| mybb | mybb | 1.00 | |
| mybb | mybb | 1.01 | |
| mybb | mybb | 1.1.0 | |
| mybb | mybb | 1.1.1 | |
| mybb | mybb | 1.1.2 | |
| mybb | mybb | 1.1.3 | |
| mybb | mybb | 1.1.4 | |
| mybb | mybb | 1.1.5 | |
| mybb | mybb | 1.1.6 | |
| mybb | mybb | 1.1.7 | |
| mybb | mybb | 1.1.8 | |
| mybb | mybb | 1.02 | |
| mybb | mybb | 1.2 | |
| mybb | mybb | 1.2.0 | |
| mybb | mybb | 1.2.1 | |
| mybb | mybb | 1.2.2 | |
| mybb | mybb | 1.2.3 | |
| mybb | mybb | 1.2.4 | |
| mybb | mybb | 1.2.5 | |
| mybb | mybb | 1.2.6 | |
| mybb | mybb | 1.2.7 | |
| mybb | mybb | 1.2.8 | |
| mybb | mybb | 1.2.9 | |
| mybb | mybb | 1.2.10 | |
| mybb | mybb | 1.2.11 | |
| mybb | mybb | 1.2.12 | |
| mybb | mybb | 1.2.13 | |
| mybb | mybb | 1.03 | |
| mybb | mybb | 1.04 | |
| mybb | mybb | 1.4.0 | |
| mybb | mybb | 1.4.2 | |
| mybb | mybb | 1.4.3 | |
| mybb | mybb | 1.4.6 | |
| mybb | mybb | 1.4.8 | |
| mybb | mybb | 1.4.9 | |
| mybb | mybb | 1.4.10 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:mybb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AA9326ED-4299-46B9-B654-0BC7C5282903",
"versionEndIncluding": "1.4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.00:*:*:*:*:*:*:*",
"matchCriteriaId": "BD61D970-9363-4A75-A8DB-D0EBA2CF0D53",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.01:*:*:*:*:*:*:*",
"matchCriteriaId": "990E206E-5E2C-4A68-9FDF-CD47F7524054",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "CF143B59-5C78-4BF6-9368-5BCF427B4753",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "B16F6F07-F5A9-47BF-88ED-25F068B68CF6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "A8A46A48-1361-4DD3-B97D-4C4FC776D68A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "337D89AE-1B7A-4101-B1F7-DFEDF2369385",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "BE08AF25-EDB1-4DA1-B431-F0692858AAAA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "BF24E7BA-3144-4DBA-9613-A44FBE0822F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.6:*:*:*:*:*:*:*",
"matchCriteriaId": "029430A5-85BD-4258-B58D-F3DCBC625E5B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.7:*:*:*:*:*:*:*",
"matchCriteriaId": "4183DB7F-FAB3-4D90-AD87-31CA4150CFDD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.8:*:*:*:*:*:*:*",
"matchCriteriaId": "3E2B90B8-DC02-4C79-BD69-DEF79945C418",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.02:*:*:*:*:*:*:*",
"matchCriteriaId": "C5C52215-D236-4D1A-9E30-14B9676FB68A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "4E080342-93CD-4E74-AE60-5858738CE7F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B48D2EDF-86C2-475C-9476-E5A2D586CA0E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "B6725373-C229-4B57-BB1E-AF178E19DEB0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "36E4C84A-21D5-4C9A-85F8-45C9657CE6F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "C7E55085-E3E3-4BB8-A680-19A28D7E88F4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "AB01A9AA-AE70-46DF-815A-05D1101EE706",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "98AFD77B-A046-4AB9-B6F4-FFFF66C63C68",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.6:*:*:*:*:*:*:*",
"matchCriteriaId": "AA00D38E-AAF6-4F66-9203-5C074FC61F30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.7:*:*:*:*:*:*:*",
"matchCriteriaId": "137A8CED-BE82-462F-B83C-15F535961E74",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.8:*:*:*:*:*:*:*",
"matchCriteriaId": "D179FDB6-9B1D-438C-B512-9A5C4F869A4C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.9:*:*:*:*:*:*:*",
"matchCriteriaId": "B3E72A13-6B4A-4C7F-B8D9-A2D35E074B67",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.10:*:*:*:*:*:*:*",
"matchCriteriaId": "3A2D344F-4671-4194-A553-A5773B5DF3B1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.11:*:*:*:*:*:*:*",
"matchCriteriaId": "245760C8-DC10-47F1-843A-461AE2F3DF61",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.12:*:*:*:*:*:*:*",
"matchCriteriaId": "A055E6BF-3CAC-4C74-8E37-A89E3E0F8559",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.13:*:*:*:*:*:*:*",
"matchCriteriaId": "1121A071-3709-4B2B-ADF4-EDC560F73E0A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.03:*:*:*:*:*:*:*",
"matchCriteriaId": "F6ABDEE8-D463-47CA-998D-33472F3382F3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.04:*:*:*:*:*:*:*",
"matchCriteriaId": "DE44965F-F968-4CD2-9F21-1E1A92F5F7F2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "3FC8864E-161F-408E-93D6-693A9238C494",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "9503D6C2-DCBC-4720-BE29-34913950407E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.3:*:*:*:*:*:*:*",
"matchCriteriaId": "0F6FC2B1-45DF-439E-8BAE-A15A08E7D9F7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.6:*:*:*:*:*:*:*",
"matchCriteriaId": "B46B7E13-51F8-4950-BBB4-A03B8E5B4750",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.8:*:*:*:*:*:*:*",
"matchCriteriaId": "A00F1254-67DE-436D-AB83-1C55639BDBD2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.9:*:*:*:*:*:*:*",
"matchCriteriaId": "AC2FDC2B-2CB4-433F-9290-3A6BE0A929B5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.10:*:*:*:*:*:*:*",
"matchCriteriaId": "1FF9452B-CF4B-45F0-8487-23D9CCBB1A4A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "MyBB (aka MyBulletinBoard) before 1.4.12 does not properly handle a configuration with a visible forum that contains hidden threads, which allows remote attackers to obtain sensitive information by reading the Latest Threads block of the Portal Page."
},
{
"lang": "es",
"value": "MyBB (MyBulletinBoard) en versiones anteriores a la 1.4.12 no maneja apropiadamente una configuraci\u00f3n de un foro visible que contiene hilos ocultos, lo que permite a atacantes remotos obtener informaci\u00f3n confidencial leyendo el bloque de hilos \u00faltimos de la p\u00e1gina del portal."
}
],
"id": "CVE-2010-4625",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2010-12-30T21:00:02.517",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://blog.mybb.com/2010/04/13/mybb-1-4-12-released-security-maintenance-update/"
},
{
"source": "cve@mitre.org",
"url": "http://community.mybb.com/thread-66255.html"
},
{
"source": "cve@mitre.org",
"url": "http://dev.mybboard.net/issues/809"
},
{
"source": "cve@mitre.org",
"url": "http://openwall.com/lists/oss-security/2010/10/08/7"
},
{
"source": "cve@mitre.org",
"url": "http://openwall.com/lists/oss-security/2010/10/11/8"
},
{
"source": "cve@mitre.org",
"url": "http://openwall.com/lists/oss-security/2010/12/06/2"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/64517"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://blog.mybb.com/2010/04/13/mybb-1-4-12-released-security-maintenance-update/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://community.mybb.com/thread-66255.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://dev.mybboard.net/issues/809"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://openwall.com/lists/oss-security/2010/10/08/7"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://openwall.com/lists/oss-security/2010/10/11/8"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://openwall.com/lists/oss-security/2010/12/06/2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/64517"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-06-06 19:29
Modified
2025-06-30 16:52
Severity ?
Summary
MyBB 1.8.19 has XSS in the resetpassword function.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://blog.mybb.com/ | Release Notes, Vendor Advisory | |
| cve@mitre.org | https://blog.mybb.com/2019/02/27/mybb-1-8-20-released-security-maintenance-release/ | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://blog.mybb.com/ | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://blog.mybb.com/2019/02/27/mybb-1-8-20-released-security-maintenance-release/ | Release Notes, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:mybb:1.8.19:*:*:*:*:*:*:*",
"matchCriteriaId": "41FE43D0-F03B-4A54-A59E-5C06D4A56ABD",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "MyBB 1.8.19 has XSS in the resetpassword function."
},
{
"lang": "es",
"value": "MyBB 1.8.19 tiene el XSSS en la funci\u00f3n de restablecimiento de contrase\u00f1a"
}
],
"id": "CVE-2019-3578",
"lastModified": "2025-06-30T16:52:10.097",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-06-06T19:29:00.597",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://blog.mybb.com/"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://blog.mybb.com/2019/02/27/mybb-1-8-20-released-security-maintenance-release/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://blog.mybb.com/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://blog.mybb.com/2019/02/27/mybb-1-8-20-released-security-maintenance-release/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2007-01-31 18:28
Modified
2025-04-09 00:30
Severity ?
Summary
Cross-site request forgery (CSRF) vulnerability in MyBB (aka MyBulletinBoard) 1.2.2 allows remote attackers to send messages to arbitrary users. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "36E4C84A-21D5-4C9A-85F8-45C9657CE6F5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site request forgery (CSRF) vulnerability in MyBB (aka MyBulletinBoard) 1.2.2 allows remote attackers to send messages to arbitrary users. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information."
},
{
"lang": "es",
"value": "Vulnerabilidad de falsificaci\u00f3n de petici\u00f3n en sitios cruzados (CSRF) en MyBB (tambi\u00e9n conocido como MyBulletinBoard) 1.2.2 permite a atacantes remotos enviar mensajes a usuarios de su elecci\u00f3n.\r\nNOTA: El origen de esta informaci\u00f3n es desconocido; los detalles se han obtenido solamente de informaci\u00f3n de terceros."
}
],
"id": "CVE-2007-0622",
"lastModified": "2025-04-09T00:30:58.490",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2007-01-31T18:28:00.000",
"references": [
{
"source": "cve@mitre.org",
"url": "http://osvdb.org/32968"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/23934"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://osvdb.org/32968"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/23934"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-01-31 22:59
Modified
2025-04-20 01:37
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in the error handler in MyBB (aka MyBulletinBoard) before 1.6.18 and 1.8.x before 1.8.6 and MyBB Merge System before 1.8.6 might allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://www.openwall.com/lists/oss-security/2016/11/10/8 | Mailing List, Third Party Advisory | |
| cve@mitre.org | http://www.openwall.com/lists/oss-security/2016/11/18/1 | Mailing List, Third Party Advisory | |
| cve@mitre.org | http://www.securityfocus.com/bid/94397 | Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://blog.mybb.com/2015/09/07/mybb-1-8-6-1-6-18-merge-system-1-8-6-release/ | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2016/11/10/8 | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2016/11/18/1 | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/94397 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://blog.mybb.com/2015/09/07/mybb-1-8-6-1-6-18-merge-system-1-8-6-release/ | Release Notes, Vendor Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:merge_system:1.8.5:*:*:*:*:*:*:*",
"matchCriteriaId": "84DB6EE0-4972-434D-9C89-7BD9EB4896B7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2FF6F484-A280-45A6-BB5E-B923339B7109",
"versionEndIncluding": "1.6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E697D13C-5594-491B-B911-3B4BEA00AFCC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.8.1:*:*:*:*:*:*:*",
"matchCriteriaId": "00724054-858F-4322-8BE5-F6929CC2CAD8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.8.2:*:*:*:*:*:*:*",
"matchCriteriaId": "95998F68-1F16-4FEA-BDE3-957235D04881",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.8.3:*:*:*:*:*:*:*",
"matchCriteriaId": "927F9547-773B-4F2C-8870-AA3672EEC7CA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.8.4:*:*:*:*:*:*:*",
"matchCriteriaId": "6817FA9E-51B7-4ADE-86E2-E9F559A585EC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.8.5:*:*:*:*:*:*:*",
"matchCriteriaId": "667EFFF1-E5C1-4124-BD0B-D4244FAECE15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the error handler in MyBB (aka MyBulletinBoard) before 1.6.18 and 1.8.x before 1.8.6 and MyBB Merge System before 1.8.6 might allow remote attackers to inject arbitrary web script or HTML via unspecified vectors."
},
{
"lang": "es",
"value": "Vulnerabilidad de XSS en el manejador de errores en MyBB (tambi\u00e9n conocido como MyBulletinBoard) en versiones anteriores a 1.6.18 y 1.8.x en versiones anteriores a 1.8.6 y MyBB Merge System en versiones anteriores a 1.8.6 podr\u00eda permitir a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a trav\u00e9s de vectores no especificados."
}
],
"id": "CVE-2015-8975",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-01-31T22:59:00.237",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/10/8"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/18/1"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/94397"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://blog.mybb.com/2015/09/07/mybb-1-8-6-1-6-18-merge-system-1-8-6-release/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/10/8"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/18/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/94397"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://blog.mybb.com/2015/09/07/mybb-1-8-6-1-6-18-merge-system-1-8-6-release/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2015-03-19 14:59
Modified
2025-04-12 10:46
Severity ?
Summary
The cache handler in MyBB (aka MyBulletinBoard) before 1.8.4 does not properly check the encoding of input to the var_export function, which allows attackers to have an unspecified impact via unknown vectors.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:mybb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AEC41207-93E4-416F-9670-6AC626CF0700",
"versionEndIncluding": "1.8.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The cache handler in MyBB (aka MyBulletinBoard) before 1.8.4 does not properly check the encoding of input to the var_export function, which allows attackers to have an unspecified impact via unknown vectors."
},
{
"lang": "es",
"value": "El manejador de cache en MyBB (tambi\u00e9n conocido como MyBulletinBoard) anterior a 1.8.4 no comprueba adecuadamente la codificaci\u00f3n de la entrada en la funci\u00f3n var_export, lo que permite a atacantes tener un impacto no especificado a trav\u00e9s de vectores no conocidos."
}
],
"id": "CVE-2015-2352",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2015-03-19T14:59:04.650",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://blog.mybb.com/2015/02/15/mybb-1-8-4-released-feature-update-security-maintenance-release/"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/73257"
},
{
"source": "cve@mitre.org",
"url": "http://www.securitytracker.com/id/1031953"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://blog.mybb.com/2015/02/15/mybb-1-8-4-released-feature-update-security-maintenance-release/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/73257"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securitytracker.com/id/1031953"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2008-07-08 18:41
Modified
2025-04-09 00:30
Severity ?
Summary
Directory traversal vulnerability in inc/class_language.php in MyBB before 1.2.13 has unknown impact and attack vectors related to the $language variable.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:mybb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "53C7DC96-E461-4181-9555-5DFA116A96DF",
"versionEndIncluding": "1.2.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Directory traversal vulnerability in inc/class_language.php in MyBB before 1.2.13 has unknown impact and attack vectors related to the $language variable."
},
{
"lang": "es",
"value": "Vulnerabilidad de salto de directorio en inc/class_language.php de MyBB anterior a 1.2.13, tiene un impacto y vectores de ataque desconocidos relacionados con la variable $language."
}
],
"id": "CVE-2008-3071",
"lastModified": "2025-04-09T00:30:58.490",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": true,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": true,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2008-07-08T18:41:00.000",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://community.mybboard.net/attachment.php?aid=9272"
},
{
"source": "cve@mitre.org",
"url": "http://community.mybboard.net/showthread.php?tid=31666"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/31013"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://community.mybboard.net/attachment.php?aid=9272"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://community.mybboard.net/showthread.php?tid=31666"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/31013"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
},
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2008-09-11 01:13
Modified
2025-04-09 00:30
Severity ?
Summary
moderation.php in MyBB (aka MyBulletinBoard) before 1.4.1 does not properly check for moderator privileges, which has unknown impact and remote attack vectors.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mybb | mybb | * | |
| mybb | mybb | 1.00 | |
| mybb | mybb | 1.01 | |
| mybb | mybb | 1.1.0 | |
| mybb | mybb | 1.1.1 | |
| mybb | mybb | 1.1.2 | |
| mybb | mybb | 1.1.3 | |
| mybb | mybb | 1.1.4 | |
| mybb | mybb | 1.1.5 | |
| mybb | mybb | 1.1.6 | |
| mybb | mybb | 1.1.7 | |
| mybb | mybb | 1.1.8 | |
| mybb | mybb | 1.02 | |
| mybb | mybb | 1.2 | |
| mybb | mybb | 1.2.0 | |
| mybb | mybb | 1.2.1 | |
| mybb | mybb | 1.2.2 | |
| mybb | mybb | 1.2.3 | |
| mybb | mybb | 1.2.4 | |
| mybb | mybb | 1.2.5 | |
| mybb | mybb | 1.2.6 | |
| mybb | mybb | 1.2.7 | |
| mybb | mybb | 1.2.8 | |
| mybb | mybb | 1.2.9 | |
| mybb | mybb | 1.2.10 | |
| mybb | mybb | 1.2.11 | |
| mybb | mybb | 1.2.12 | |
| mybb | mybb | 1.2.13 | |
| mybb | mybb | 1.03 | |
| mybb | mybb | 1.04 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:mybb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BE928783-BD14-4BCD-BC6E-13E406431705",
"versionEndIncluding": "1.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.00:*:*:*:*:*:*:*",
"matchCriteriaId": "BD61D970-9363-4A75-A8DB-D0EBA2CF0D53",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.01:*:*:*:*:*:*:*",
"matchCriteriaId": "990E206E-5E2C-4A68-9FDF-CD47F7524054",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "CF143B59-5C78-4BF6-9368-5BCF427B4753",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "B16F6F07-F5A9-47BF-88ED-25F068B68CF6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "A8A46A48-1361-4DD3-B97D-4C4FC776D68A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "337D89AE-1B7A-4101-B1F7-DFEDF2369385",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "BE08AF25-EDB1-4DA1-B431-F0692858AAAA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "BF24E7BA-3144-4DBA-9613-A44FBE0822F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.6:*:*:*:*:*:*:*",
"matchCriteriaId": "029430A5-85BD-4258-B58D-F3DCBC625E5B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.7:*:*:*:*:*:*:*",
"matchCriteriaId": "4183DB7F-FAB3-4D90-AD87-31CA4150CFDD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.8:*:*:*:*:*:*:*",
"matchCriteriaId": "3E2B90B8-DC02-4C79-BD69-DEF79945C418",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.02:*:*:*:*:*:*:*",
"matchCriteriaId": "C5C52215-D236-4D1A-9E30-14B9676FB68A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "4E080342-93CD-4E74-AE60-5858738CE7F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B48D2EDF-86C2-475C-9476-E5A2D586CA0E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "B6725373-C229-4B57-BB1E-AF178E19DEB0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "36E4C84A-21D5-4C9A-85F8-45C9657CE6F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "C7E55085-E3E3-4BB8-A680-19A28D7E88F4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "AB01A9AA-AE70-46DF-815A-05D1101EE706",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "98AFD77B-A046-4AB9-B6F4-FFFF66C63C68",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.6:*:*:*:*:*:*:*",
"matchCriteriaId": "AA00D38E-AAF6-4F66-9203-5C074FC61F30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.7:*:*:*:*:*:*:*",
"matchCriteriaId": "137A8CED-BE82-462F-B83C-15F535961E74",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.8:*:*:*:*:*:*:*",
"matchCriteriaId": "D179FDB6-9B1D-438C-B512-9A5C4F869A4C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.9:*:*:*:*:*:*:*",
"matchCriteriaId": "B3E72A13-6B4A-4C7F-B8D9-A2D35E074B67",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.10:*:*:*:*:*:*:*",
"matchCriteriaId": "3A2D344F-4671-4194-A553-A5773B5DF3B1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.11:*:*:*:*:*:*:*",
"matchCriteriaId": "245760C8-DC10-47F1-843A-461AE2F3DF61",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.12:*:*:*:*:*:*:*",
"matchCriteriaId": "A055E6BF-3CAC-4C74-8E37-A89E3E0F8559",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.13:*:*:*:*:*:*:*",
"matchCriteriaId": "1121A071-3709-4B2B-ADF4-EDC560F73E0A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.03:*:*:*:*:*:*:*",
"matchCriteriaId": "F6ABDEE8-D463-47CA-998D-33472F3382F3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.04:*:*:*:*:*:*:*",
"matchCriteriaId": "DE44965F-F968-4CD2-9F21-1E1A92F5F7F2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "moderation.php in MyBB (aka MyBulletinBoard) before 1.4.1 does not properly check for moderator privileges, which has unknown impact and remote attack vectors."
},
{
"lang": "es",
"value": "moderation.php en MyBB (tambi\u00e9n conocido como MyBulletinBoard) versiones anteriores a 1.4.1 no comprueba adecuadamente los privilegios del moderados, lo cual tiene un impacto y vectores de ataque desconocidos."
}
],
"evaluatorSolution": "Patch information - http://community.mybboard.net/showthread.php?tid=36022\r\n",
"id": "CVE-2008-3967",
"lastModified": "2025-04-09T00:30:58.490",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": true,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2008-09-11T01:13:47.710",
"references": [
{
"source": "cve@mitre.org",
"url": "http://community.mybboard.net/attachment.php?aid=10579"
},
{
"source": "cve@mitre.org",
"url": "http://community.mybboard.net/showthread.php?tid=36022"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/31760"
},
{
"source": "cve@mitre.org",
"url": "http://www.openwall.com/lists/oss-security/2008/09/09/1"
},
{
"source": "cve@mitre.org",
"url": "http://www.openwall.com/lists/oss-security/2008/09/09/9"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/31104"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://community.mybboard.net/attachment.php?aid=10579"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://community.mybboard.net/showthread.php?tid=36022"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/31760"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2008/09/09/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2008/09/09/9"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/31104"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-264"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2007-01-29 17:28
Modified
2025-04-09 00:30
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in private.php in MyBB (aka MyBulletinBoard) allows remote authenticated users to inject arbitrary web script or HTML via the Subject field, a different vector than CVE-2006-2949.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "C7E55085-E3E3-4BB8-A680-19A28D7E88F4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in private.php in MyBB (aka MyBulletinBoard) allows remote authenticated users to inject arbitrary web script or HTML via the Subject field, a different vector than CVE-2006-2949."
},
{
"lang": "es",
"value": "Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en private.php de MyBB (tambi\u00e9n conocido como MyBulletinBoard) permite a usuarios autenticados remotamente inyectar secuencias de comandos web o HTML de su elecci\u00f3n a trav\u00e9s del campo Asunto (Subject), un vector distinto de CVE-2006-2949."
}
],
"id": "CVE-2007-0544",
"lastModified": "2025-04-09T00:30:58.490",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": true,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2007-01-29T17:28:00.000",
"references": [
{
"source": "cve@mitre.org",
"url": "http://osvdb.org/32967"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/23934"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/28837"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/457929/100/0/threaded"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/22205"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/31740"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://osvdb.org/32967"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/23934"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/28837"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/457929/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/22205"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/31740"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2007-04-24 20:19
Modified
2025-04-09 00:30
Severity ?
Summary
Multiple SQL injection vulnerabilities in calendar.php in MyBB (aka MyBulletinBoard) 1.2.5 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) year or (2) month parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "98AFD77B-A046-4AB9-B6F4-FFFF66C63C68",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple SQL injection vulnerabilities in calendar.php in MyBB (aka MyBulletinBoard) 1.2.5 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) year or (2) month parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades de inyecci\u00f3n SQL en calendar.php en MyBB (tambi\u00e9n conocido como MyBulletinBoard) 1.2.5 y anteriores permite a atacantes remotos ejecutar comandos SQL de su elecci\u00f3n a trav\u00e9s del par\u00e1metro (1) year o (2) month. NOTA: la procedencia de esta informaci\u00f3n es desconocida; los detalles han sido obtenidos a partir de la informaci\u00f3n de terceros. \r\n"
}
],
"id": "CVE-2007-2212",
"lastModified": "2025-04-09T00:30:58.490",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": true,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2007-04-24T20:19:00.000",
"references": [
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/33814"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/33814"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-01-31 22:59
Modified
2025-04-20 01:37
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in MyBB (aka MyBulletinBoard) before 1.6.18 and 1.8.x before 1.8.6 and MyBB Merge System before 1.8.6 might allow remote attackers to inject arbitrary web script or HTML via vectors related to "old upgrade files."
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://www.openwall.com/lists/oss-security/2016/11/10/8 | Third Party Advisory | |
| cve@mitre.org | http://www.openwall.com/lists/oss-security/2016/11/18/1 | Mailing List, Third Party Advisory | |
| cve@mitre.org | http://www.securityfocus.com/bid/94397 | ||
| cve@mitre.org | https://blog.mybb.com/2015/09/07/mybb-1-8-6-1-6-18-merge-system-1-8-6-release/ | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2016/11/10/8 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2016/11/18/1 | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/94397 | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://blog.mybb.com/2015/09/07/mybb-1-8-6-1-6-18-merge-system-1-8-6-release/ | Release Notes, Vendor Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:merge_system:1.8.5:*:*:*:*:*:*:*",
"matchCriteriaId": "84DB6EE0-4972-434D-9C89-7BD9EB4896B7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2FF6F484-A280-45A6-BB5E-B923339B7109",
"versionEndIncluding": "1.6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E697D13C-5594-491B-B911-3B4BEA00AFCC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.8.1:*:*:*:*:*:*:*",
"matchCriteriaId": "00724054-858F-4322-8BE5-F6929CC2CAD8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.8.2:*:*:*:*:*:*:*",
"matchCriteriaId": "95998F68-1F16-4FEA-BDE3-957235D04881",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.8.3:*:*:*:*:*:*:*",
"matchCriteriaId": "927F9547-773B-4F2C-8870-AA3672EEC7CA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.8.4:*:*:*:*:*:*:*",
"matchCriteriaId": "6817FA9E-51B7-4ADE-86E2-E9F559A585EC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.8.5:*:*:*:*:*:*:*",
"matchCriteriaId": "667EFFF1-E5C1-4124-BD0B-D4244FAECE15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in MyBB (aka MyBulletinBoard) before 1.6.18 and 1.8.x before 1.8.6 and MyBB Merge System before 1.8.6 might allow remote attackers to inject arbitrary web script or HTML via vectors related to \"old upgrade files.\""
},
{
"lang": "es",
"value": "Vulnerabilidad de XSS en MyBB (tambi\u00e9n conocido como MyBulletinBoard) en versiones anteriores a 1.6.18 y 1.8.x en versiones anteriores a 1.8.6 y MyBB Merge System en versiones anteriores a 1.8.6 podr\u00edan permitir a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a trav\u00e9s de vectores relacionados con \"archivos antiguos de actualizaci\u00f3n\"."
}
],
"id": "CVE-2015-8976",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-01-31T22:59:00.267",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/10/8"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/18/1"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/94397"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://blog.mybb.com/2015/09/07/mybb-1-8-6-1-6-18-merge-system-1-8-6-release/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/10/8"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/18/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/94397"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://blog.mybb.com/2015/09/07/mybb-1-8-6-1-6-18-merge-system-1-8-6-release/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2018-06-26 16:29
Modified
2024-11-21 03:40
Severity ?
Summary
MyBB Group MyBB contains a Incorrect Access Control vulnerability in Private forums that can result in Users can view posts from private forums without having the password. This attack appear to be exploitable via Subscribe to a forum through IDOR. This vulnerability appears to have been fixed in 1.8.15.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:mybb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "53F2488B-06DA-4FB0-A5DE-3953F1FA2193",
"versionEndExcluding": "1.8.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "MyBB Group MyBB contains a Incorrect Access Control vulnerability in Private forums that can result in Users can view posts from private forums without having the password. This attack appear to be exploitable via Subscribe to a forum through IDOR. This vulnerability appears to have been fixed in 1.8.15."
},
{
"lang": "es",
"value": "MyBB Group MyBB contiene una vulnerabilidad de control de acceso incorrecto en los foros privados que puede resultar en que los usuarios puedan ver foros privados sin tener la contrase\u00f1a. Este ataque parece ser explotable mediante una suscripci\u00f3n a un foro mediante IDOR. La vulnerabilidad parece haber sido solucionada en la versi\u00f3n 1.8.15."
}
],
"id": "CVE-2018-1000503",
"lastModified": "2024-11-21T03:40:03.803",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-06-26T16:29:00.523",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "http://www.batterystapl.es/2018/03/local-file-inclusion-and-reading.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://blog.mybb.com/2018/03/15/mybb-1-8-15-released-security-maintenance-release/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://www.batterystapl.es/2018/03/local-file-inclusion-and-reading.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://blog.mybb.com/2018/03/15/mybb-1-8-15-released-security-maintenance-release/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-269"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-02-22 20:15
Modified
2024-11-21 05:57
Severity ?
Summary
MyBB before 1.8.25 allows stored XSS via nested [email] tags with MyCode (aka BBCode).
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/mybb/mybb/commit/cb781b49116bf5c4d8deca3e17498122b701677a | Patch, Third Party Advisory | |
| cve@mitre.org | https://github.com/mybb/mybb/security/advisories/GHSA-6483-hcpp-p75w | Exploit, Third Party Advisory | |
| cve@mitre.org | https://mybb.com/versions/1.8.25/ | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/mybb/mybb/commit/cb781b49116bf5c4d8deca3e17498122b701677a | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/mybb/mybb/security/advisories/GHSA-6483-hcpp-p75w | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mybb.com/versions/1.8.25/ | Release Notes, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:mybb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F8B31EA3-CFEA-43B3-8348-397BED3FD568",
"versionEndExcluding": "1.8.25",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "MyBB before 1.8.25 allows stored XSS via nested [email] tags with MyCode (aka BBCode)."
},
{
"lang": "es",
"value": "MyBB versiones anteriores a 1.8.25, permite un ataque de tipo XSS almacenado por medio de etiquetas [correo electr\u00f3nico] anidadas con MyCode (tambi\u00e9n se conoce como BBCode)"
}
],
"id": "CVE-2021-27279",
"lastModified": "2024-11-21T05:57:45.090",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-02-22T20:15:13.243",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/mybb/mybb/commit/cb781b49116bf5c4d8deca3e17498122b701677a"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/mybb/mybb/security/advisories/GHSA-6483-hcpp-p75w"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://mybb.com/versions/1.8.25/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/mybb/mybb/commit/cb781b49116bf5c4d8deca3e17498122b701677a"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/mybb/mybb/security/advisories/GHSA-6483-hcpp-p75w"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://mybb.com/versions/1.8.25/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-04-17 22:15
Modified
2025-04-25 16:27
Severity ?
Summary
An issue in MyBB 1.8.38 allows a remote attacker to obtain sensitive information via the Add Mycode function. NOTE: the Supplier disputes this because of the allowed actions of Board administrators and because of SSRF mitigation.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:mybb:1.8.38:*:*:*:*:*:*:*",
"matchCriteriaId": "07E2BC41-5325-4F85-9235-61FF5CA894D1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [
{
"sourceIdentifier": "cve@mitre.org",
"tags": [
"disputed"
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue in MyBB 1.8.38 allows a remote attacker to obtain sensitive information via the Add Mycode function. NOTE: the Supplier disputes this because of the allowed actions of Board administrators and because of SSRF mitigation."
},
{
"lang": "es",
"value": "Un problema en MyBB 1.8.38 permite que un atacante remoto obtenga informaci\u00f3n confidencial a trav\u00e9s de la funci\u00f3n Add Mycode."
}
],
"id": "CVE-2025-29460",
"lastModified": "2025-04-25T16:27:20.303",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 4.7,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2025-04-17T22:15:15.493",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "https://docs.mybb.com/1.8/administration/security/protection/#limit-access-to-private-hosts-and-ip-addresses"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://www.yuque.com/morysummer/vx41bz/fgg059stiog457ch"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-918"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-11-22 00:15
Modified
2025-04-29 14:15
Severity ?
4.9 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
4.9 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
4.9 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
Summary
MyBB 1.8.31 has a SQL injection vulnerability in the Admin CP's Users module allows remote authenticated users to modify the query string via direct user input or stored search filter settings.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/mybb/mybb/security/advisories/GHSA-ggp5-454p-867v | Patch, Third Party Advisory | |
| cve@mitre.org | https://mybb.com | Product | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/mybb/mybb/security/advisories/GHSA-ggp5-454p-867v | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mybb.com | Product |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:mybb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "81E81B96-4E85-4D0F-BEB7-D2A8E71DDD02",
"versionEndExcluding": "1.8.32",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "MyBB 1.8.31 has a SQL injection vulnerability in the Admin CP\u0027s Users module allows remote authenticated users to modify the query string via direct user input or stored search filter settings."
},
{
"lang": "es",
"value": "MyBB 1.8.31 tiene una vulnerabilidad de inyecci\u00f3n SQL en el m\u00f3dulo Usuarios del Admin CP que permite a los usuarios remotos autenticados modificar la cadena de consulta mediante la entrada directa del usuario o la configuraci\u00f3n del filtro de b\u00fasqueda almacenada."
}
],
"id": "CVE-2022-43709",
"lastModified": "2025-04-29T14:15:22.290",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 3.6,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2022-11-22T00:15:12.187",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/mybb/mybb/security/advisories/GHSA-ggp5-454p-867v"
},
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "https://mybb.com"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/mybb/mybb/security/advisories/GHSA-ggp5-454p-867v"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://mybb.com"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2012-11-17 21:55
Modified
2025-04-11 00:51
Severity ?
Summary
SQL injection vulnerability in admin/modules/user/users.php in MyBB (aka MyBulletinBoard) 1.6.6 allows remote attackers to execute arbitrary SQL commands via the conditions[usergroup][] parameter in a search action to admin/index.php.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:mybb:1.6.6:*:*:*:*:*:*:*",
"matchCriteriaId": "E1A3FDDB-9488-405B-A2A0-500CF49061BE",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in admin/modules/user/users.php in MyBB (aka MyBulletinBoard) 1.6.6 allows remote attackers to execute arbitrary SQL commands via the conditions[usergroup][] parameter in a search action to admin/index.php."
},
{
"lang": "es",
"value": "Una vulnerabilidad de inyecci\u00f3n SQL en admin/modules/user/users.php en MyBB (alias MyBulletinBoard) v1.6.6 permite a atacantes remotos ejecutar comandos SQL a trav\u00e9s del par\u00e1metro conditions[usergroup][] en una acci\u00f3n de b\u00fasqueda a admin/index.php."
}
],
"id": "CVE-2012-5909",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2012-11-17T21:55:05.533",
"references": [
{
"source": "cve@mitre.org",
"url": "http://osvdb.org/80634"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://packetstormsecurity.org/files/111238/MyBB-1.6.6-Cross-Site-Scripting-SQL-Injection.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://www.securityfocus.com/bid/52743"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/74396"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://osvdb.org/80634"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://packetstormsecurity.org/files/111238/MyBB-1.6.6-Cross-Site-Scripting-SQL-Injection.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.securityfocus.com/bid/52743"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/74396"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-02-11 19:15
Modified
2024-11-21 02:08
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in MyBB before 1.6.13 allows remote authenticated users to inject arbitrary web script or HTML via the name parameter in the edit action of the config-profile_fields module.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://adamziaja.com/poc/201312-xss-mybb.html | Not Applicable | |
| af854a3a-2127-422b-91ae-364da2661108 | http://adamziaja.com/poc/201312-xss-mybb.html | Not Applicable |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:mybb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F3910CB1-A664-43CD-839E-D0A51228F1E2",
"versionEndExcluding": "1.6.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in MyBB before 1.6.13 allows remote authenticated users to inject arbitrary web script or HTML via the name parameter in the edit action of the config-profile_fields module."
},
{
"lang": "es",
"value": "Una vulnerabilidad de tipo cross-site scripting (XSS) en MyBB versiones anteriores a 1.6.13, permite a usuarios autenticados remotos inyectar script web o HTML arbitrario por medio del par\u00e1metro name en la acci\u00f3n edit del m\u00f3dulo config-profile_fields."
}
],
"id": "CVE-2014-3826",
"lastModified": "2024-11-21T02:08:56.123",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-02-11T19:15:10.420",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Not Applicable"
],
"url": "http://adamziaja.com/poc/201312-xss-mybb.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Not Applicable"
],
"url": "http://adamziaja.com/poc/201312-xss-mybb.html"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-01-31 22:59
Modified
2025-04-20 01:37
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in the Mod control panel in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 might allow remote attackers to inject arbitrary web script or HTML via vectors involving editing users.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://www.openwall.com/lists/oss-security/2016/11/10/8 | Mailing List, Patch, Third Party Advisory | |
| cve@mitre.org | http://www.openwall.com/lists/oss-security/2016/11/18/1 | Mailing List, Patch, Third Party Advisory | |
| cve@mitre.org | http://www.securityfocus.com/bid/94395 | Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://blog.mybb.com/2016/03/11/mybb-1-8-7-merge-system-1-8-7-release/ | Patch, Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2016/11/10/8 | Mailing List, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2016/11/18/1 | Mailing List, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/94395 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://blog.mybb.com/2016/03/11/mybb-1-8-7-merge-system-1-8-7-release/ | Patch, Release Notes, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mybb | merge_system | * | |
| mybb | mybb | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:merge_system:*:*:*:*:*:*:*:*",
"matchCriteriaId": "716986AC-5E6D-4DDD-A553-B88981BDE788",
"versionEndIncluding": "1.8.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2212E819-C064-4963-BCD2-214F09A46902",
"versionEndIncluding": "1.8.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the Mod control panel in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 might allow remote attackers to inject arbitrary web script or HTML via vectors involving editing users."
},
{
"lang": "es",
"value": "Vulnerabilidad de XSS en el panel de control Mod en MyBB (tambi\u00e9n conocido como MyBulletinBoard) en versiones anteriores a 1.8.7 y MyBB Merge System en versiones anteriores a 1.8.7 podr\u00edan permitir a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a trav\u00e9s de vectores que implican a usuarios de edici\u00f3n."
}
],
"id": "CVE-2016-9408",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-01-31T22:59:01.267",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/10/8"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/18/1"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/94395"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Release Notes",
"Vendor Advisory"
],
"url": "https://blog.mybb.com/2016/03/11/mybb-1-8-7-merge-system-1-8-7-release/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/10/8"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/18/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/94395"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Release Notes",
"Vendor Advisory"
],
"url": "https://blog.mybb.com/2016/03/11/mybb-1-8-7-merge-system-1-8-7-release/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2010-12-30 21:00
Modified
2025-04-11 00:51
Severity ?
Summary
MyBB (aka MyBulletinBoard) before 1.4.12 allows remote authenticated users to bypass intended restrictions on the number of [img] MyCodes by editing a post after it has been created.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mybb | mybb | * | |
| mybb | mybb | 1.00 | |
| mybb | mybb | 1.01 | |
| mybb | mybb | 1.1.0 | |
| mybb | mybb | 1.1.1 | |
| mybb | mybb | 1.1.2 | |
| mybb | mybb | 1.1.3 | |
| mybb | mybb | 1.1.4 | |
| mybb | mybb | 1.1.5 | |
| mybb | mybb | 1.1.6 | |
| mybb | mybb | 1.1.7 | |
| mybb | mybb | 1.1.8 | |
| mybb | mybb | 1.02 | |
| mybb | mybb | 1.2 | |
| mybb | mybb | 1.2.0 | |
| mybb | mybb | 1.2.1 | |
| mybb | mybb | 1.2.2 | |
| mybb | mybb | 1.2.3 | |
| mybb | mybb | 1.2.4 | |
| mybb | mybb | 1.2.5 | |
| mybb | mybb | 1.2.6 | |
| mybb | mybb | 1.2.7 | |
| mybb | mybb | 1.2.8 | |
| mybb | mybb | 1.2.9 | |
| mybb | mybb | 1.2.10 | |
| mybb | mybb | 1.2.11 | |
| mybb | mybb | 1.2.12 | |
| mybb | mybb | 1.2.13 | |
| mybb | mybb | 1.03 | |
| mybb | mybb | 1.04 | |
| mybb | mybb | 1.4.0 | |
| mybb | mybb | 1.4.2 | |
| mybb | mybb | 1.4.3 | |
| mybb | mybb | 1.4.6 | |
| mybb | mybb | 1.4.8 | |
| mybb | mybb | 1.4.9 | |
| mybb | mybb | 1.4.10 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:mybb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AA9326ED-4299-46B9-B654-0BC7C5282903",
"versionEndIncluding": "1.4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.00:*:*:*:*:*:*:*",
"matchCriteriaId": "BD61D970-9363-4A75-A8DB-D0EBA2CF0D53",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.01:*:*:*:*:*:*:*",
"matchCriteriaId": "990E206E-5E2C-4A68-9FDF-CD47F7524054",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "CF143B59-5C78-4BF6-9368-5BCF427B4753",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "B16F6F07-F5A9-47BF-88ED-25F068B68CF6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "A8A46A48-1361-4DD3-B97D-4C4FC776D68A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "337D89AE-1B7A-4101-B1F7-DFEDF2369385",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "BE08AF25-EDB1-4DA1-B431-F0692858AAAA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "BF24E7BA-3144-4DBA-9613-A44FBE0822F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.6:*:*:*:*:*:*:*",
"matchCriteriaId": "029430A5-85BD-4258-B58D-F3DCBC625E5B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.7:*:*:*:*:*:*:*",
"matchCriteriaId": "4183DB7F-FAB3-4D90-AD87-31CA4150CFDD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.8:*:*:*:*:*:*:*",
"matchCriteriaId": "3E2B90B8-DC02-4C79-BD69-DEF79945C418",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.02:*:*:*:*:*:*:*",
"matchCriteriaId": "C5C52215-D236-4D1A-9E30-14B9676FB68A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "4E080342-93CD-4E74-AE60-5858738CE7F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B48D2EDF-86C2-475C-9476-E5A2D586CA0E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "B6725373-C229-4B57-BB1E-AF178E19DEB0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "36E4C84A-21D5-4C9A-85F8-45C9657CE6F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "C7E55085-E3E3-4BB8-A680-19A28D7E88F4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "AB01A9AA-AE70-46DF-815A-05D1101EE706",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "98AFD77B-A046-4AB9-B6F4-FFFF66C63C68",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.6:*:*:*:*:*:*:*",
"matchCriteriaId": "AA00D38E-AAF6-4F66-9203-5C074FC61F30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.7:*:*:*:*:*:*:*",
"matchCriteriaId": "137A8CED-BE82-462F-B83C-15F535961E74",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.8:*:*:*:*:*:*:*",
"matchCriteriaId": "D179FDB6-9B1D-438C-B512-9A5C4F869A4C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.9:*:*:*:*:*:*:*",
"matchCriteriaId": "B3E72A13-6B4A-4C7F-B8D9-A2D35E074B67",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.10:*:*:*:*:*:*:*",
"matchCriteriaId": "3A2D344F-4671-4194-A553-A5773B5DF3B1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.11:*:*:*:*:*:*:*",
"matchCriteriaId": "245760C8-DC10-47F1-843A-461AE2F3DF61",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.12:*:*:*:*:*:*:*",
"matchCriteriaId": "A055E6BF-3CAC-4C74-8E37-A89E3E0F8559",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.13:*:*:*:*:*:*:*",
"matchCriteriaId": "1121A071-3709-4B2B-ADF4-EDC560F73E0A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.03:*:*:*:*:*:*:*",
"matchCriteriaId": "F6ABDEE8-D463-47CA-998D-33472F3382F3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.04:*:*:*:*:*:*:*",
"matchCriteriaId": "DE44965F-F968-4CD2-9F21-1E1A92F5F7F2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "3FC8864E-161F-408E-93D6-693A9238C494",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "9503D6C2-DCBC-4720-BE29-34913950407E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.3:*:*:*:*:*:*:*",
"matchCriteriaId": "0F6FC2B1-45DF-439E-8BAE-A15A08E7D9F7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.6:*:*:*:*:*:*:*",
"matchCriteriaId": "B46B7E13-51F8-4950-BBB4-A03B8E5B4750",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.8:*:*:*:*:*:*:*",
"matchCriteriaId": "A00F1254-67DE-436D-AB83-1C55639BDBD2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.9:*:*:*:*:*:*:*",
"matchCriteriaId": "AC2FDC2B-2CB4-433F-9290-3A6BE0A929B5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.10:*:*:*:*:*:*:*",
"matchCriteriaId": "1FF9452B-CF4B-45F0-8487-23D9CCBB1A4A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "MyBB (aka MyBulletinBoard) before 1.4.12 allows remote authenticated users to bypass intended restrictions on the number of [img] MyCodes by editing a post after it has been created."
},
{
"lang": "es",
"value": "MyBB (MyBulletinBoard) en versiones anteriores a la 1.4.12 permite a usuarios autenticados remotos evitar las restricciones previstas en el n\u00famero de [img] MyCodes editando un post despu\u00e9s de que haya sido creado."
}
],
"id": "CVE-2010-4624",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2010-12-30T21:00:02.410",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://blog.mybb.com/2010/04/13/mybb-1-4-12-released-security-maintenance-update/"
},
{
"source": "cve@mitre.org",
"url": "http://dev.mybboard.net/issues/728"
},
{
"source": "cve@mitre.org",
"url": "http://openwall.com/lists/oss-security/2010/10/08/7"
},
{
"source": "cve@mitre.org",
"url": "http://openwall.com/lists/oss-security/2010/10/11/8"
},
{
"source": "cve@mitre.org",
"url": "http://openwall.com/lists/oss-security/2010/12/06/2"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/64518"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://blog.mybb.com/2010/04/13/mybb-1-4-12-released-security-maintenance-update/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://dev.mybboard.net/issues/728"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://openwall.com/lists/oss-security/2010/10/08/7"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://openwall.com/lists/oss-security/2010/10/11/8"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://openwall.com/lists/oss-security/2010/12/06/2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/64518"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-264"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-04-24 18:59
Modified
2025-04-20 01:37
Severity ?
Summary
In MyBB before 1.8.11, the Email MyCode component allows XSS, as demonstrated by an onmouseover event.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://seclists.org/fulldisclosure/2017/Apr/53 | Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://blog.mybb.com/2017/04/04/mybb-1-8-11-merge-system-1-8-11-release/ | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://seclists.org/fulldisclosure/2017/Apr/53 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://blog.mybb.com/2017/04/04/mybb-1-8-11-merge-system-1-8-11-release/ | Patch, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:mybb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EA5913D3-77D8-4093-9225-0B1BDE2A9B5B",
"versionEndIncluding": "1.8.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In MyBB before 1.8.11, the Email MyCode component allows XSS, as demonstrated by an onmouseover event."
},
{
"lang": "es",
"value": "En MyBB en versiones anteriores a 1.8.11, el componente Email MyCode permite XSS, como lo demuestra un evento onmouseover."
}
],
"id": "CVE-2017-8103",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-04-24T18:59:00.837",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://seclists.org/fulldisclosure/2017/Apr/53"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://blog.mybb.com/2017/04/04/mybb-1-8-11-merge-system-1-8-11-release/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://seclists.org/fulldisclosure/2017/Apr/53"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://blog.mybb.com/2017/04/04/mybb-1-8-11-merge-system-1-8-11-release/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-03-15 18:15
Modified
2024-11-21 05:58
Severity ?
Summary
SQL Injection vulnerablity in MyBB before 1.8.26 via theme properties included in theme XML files.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://packetstormsecurity.com/files/161908/MyBB-1.8.25-Remote-Command-Execution.html | Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://blog.sonarsource.com/mybb-remote-code-execution-chain | Exploit, Third Party Advisory | |
| cve@mitre.org | https://github.com/mybb/mybb/security/advisories/GHSA-r34m-ccm8-mfhq | Patch, Release Notes, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://packetstormsecurity.com/files/161908/MyBB-1.8.25-Remote-Command-Execution.html | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://blog.sonarsource.com/mybb-remote-code-execution-chain | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/mybb/mybb/security/advisories/GHSA-r34m-ccm8-mfhq | Patch, Release Notes, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:mybb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E92578FF-AAA5-4F8F-8D78-0662DB9BB02C",
"versionEndExcluding": "1.8.26",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SQL Injection vulnerablity in MyBB before 1.8.26 via theme properties included in theme XML files."
},
{
"lang": "es",
"value": "Una vulnerabilidad de inyecci\u00f3n SQL en MyBB versiones anteriores a 1.8.26, mediante las propiedades del tema incluyendo en los archivos XML del tema"
}
],
"id": "CVE-2021-27890",
"lastModified": "2024-11-21T05:58:42.830",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-03-15T18:15:18.707",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/161908/MyBB-1.8.25-Remote-Command-Execution.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://blog.sonarsource.com/mybb-remote-code-execution-chain"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/mybb/mybb/security/advisories/GHSA-r34m-ccm8-mfhq"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/161908/MyBB-1.8.25-Remote-Command-Execution.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://blog.sonarsource.com/mybb-remote-code-execution-chain"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/mybb/mybb/security/advisories/GHSA-r34m-ccm8-mfhq"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-08-29 16:15
Modified
2024-11-21 08:21
Severity ?
Summary
MyBB before 1.8.36 allows Code Injection by users with certain high privileges. Templates in Admin CP intentionally use eval, and there was some validation of the input to eval, but type juggling interfered with this when using PCRE within PHP.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:mybb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BB1F809C-701C-452A-9E80-B91FF79CF7AC",
"versionEndExcluding": "1.8.36",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "MyBB before 1.8.36 allows Code Injection by users with certain high privileges. Templates in Admin CP intentionally use eval, and there was some validation of the input to eval, but type juggling interfered with this when using PCRE within PHP."
},
{
"lang": "es",
"value": "MyBB anterior a 1.8.36 permite la inyecci\u00f3n de c\u00f3digo por parte de usuarios con ciertos privilegios elevados. Las plantillas en Admin CP usan intencionalmente eval, y hubo cierta validaci\u00f3n de la entrada para eval, pero el malabarismo de tipos interfiri\u00f3 con esto cuando se usaba PCRE dentro de PHP.\n"
}
],
"id": "CVE-2023-41362",
"lastModified": "2024-11-21T08:21:09.480",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-08-29T16:15:09.237",
"references": [
{
"source": "cve@mitre.org",
"url": "https://blog.sorcery.ie/posts/mybb_acp_rce/"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "https://github.com/mybb/mybb/commit/a43a6f22944e769a6eabc58c39e7bc18c1cab4ca.patch"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/mybb/mybb/security/advisories/GHSA-pr74-wvp3-q6f5"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes"
],
"url": "https://mybb.com/versions/1.8.36/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://blog.sorcery.ie/posts/mybb_acp_rce/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/mybb/mybb/commit/a43a6f22944e769a6eabc58c39e7bc18c1cab4ca.patch"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/mybb/mybb/security/advisories/GHSA-pr74-wvp3-q6f5"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://mybb.com/versions/1.8.36/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-94"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-01-31 22:59
Modified
2025-04-20 01:37
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in member validation in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 might allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://www.openwall.com/lists/oss-security/2016/11/10/8 | Mailing List, Patch, Third Party Advisory | |
| cve@mitre.org | http://www.openwall.com/lists/oss-security/2016/11/18/1 | Mailing List, Patch, Third Party Advisory | |
| cve@mitre.org | http://www.securityfocus.com/bid/94395 | Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://blog.mybb.com/2016/03/11/mybb-1-8-7-merge-system-1-8-7-release/ | Patch, Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2016/11/10/8 | Mailing List, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2016/11/18/1 | Mailing List, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/94395 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://blog.mybb.com/2016/03/11/mybb-1-8-7-merge-system-1-8-7-release/ | Patch, Release Notes, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mybb | merge_system | * | |
| mybb | mybb | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:merge_system:*:*:*:*:*:*:*:*",
"matchCriteriaId": "716986AC-5E6D-4DDD-A553-B88981BDE788",
"versionEndIncluding": "1.8.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2212E819-C064-4963-BCD2-214F09A46902",
"versionEndIncluding": "1.8.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in member validation in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 might allow remote attackers to inject arbitrary web script or HTML via unspecified vectors."
},
{
"lang": "es",
"value": "Vulnerabilidad de XSS en la validaci\u00f3n de miembros en MyBB (tambi\u00e9n conocido como MyBulletinBoard) en versiones anteriores a 1.8.7 y MyBB Merge System en versiones anteriores a 1.8.7 podr\u00edan permitir a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a trav\u00e9s de vectores no especificados."
}
],
"id": "CVE-2016-9405",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-01-31T22:59:01.140",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/10/8"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/18/1"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/94395"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Release Notes",
"Vendor Advisory"
],
"url": "https://blog.mybb.com/2016/03/11/mybb-1-8-7-merge-system-1-8-7-release/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/10/8"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/18/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/94395"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Release Notes",
"Vendor Advisory"
],
"url": "https://blog.mybb.com/2016/03/11/mybb-1-8-7-merge-system-1-8-7-release/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-02-11 19:15
Modified
2024-11-21 02:08
Severity ?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in the MyBB (aka MyBulletinBoard) before 1.8.4 allow remote authenticated users to inject arbitrary web script or HTML via the title parameter in the (1) edit or (2) add action in the user-users module or the (3) finduser action or the name parameter in an (4) edit action in the user-user module or the (5) editprofile action to modcp.php.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://blog.mybb.com/2015/02/15/mybb-1-8-4-released-feature-update-security-maintenance-release/ | Release Notes, Vendor Advisory | |
| cve@mitre.org | https://adamziaja.com/poc/201312-xss-mybb.html | Not Applicable | |
| af854a3a-2127-422b-91ae-364da2661108 | http://blog.mybb.com/2015/02/15/mybb-1-8-4-released-feature-update-security-maintenance-release/ | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://adamziaja.com/poc/201312-xss-mybb.html | Not Applicable |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:mybb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "53B69B1A-A22A-4ED1-BEE4-7E5146867718",
"versionEndExcluding": "1.8.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in the MyBB (aka MyBulletinBoard) before 1.8.4 allow remote authenticated users to inject arbitrary web script or HTML via the title parameter in the (1) edit or (2) add action in the user-users module or the (3) finduser action or the name parameter in an (4) edit action in the user-user module or the (5) editprofile action to modcp.php."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades de tipo cross-site scripting (XSS) en MyBB (tambi\u00e9n se conoce como MyBulletinBoard) versiones anteriores a 1.8.4, permiten a usuarios autenticados remotos inyectar script web o HTML arbitrario por medio del par\u00e1metro title en la acci\u00f3n (1) edit o (2) add en el m\u00f3dulo user-users o la (3) acci\u00f3n finduser o el par\u00e1metro name en una (4) acci\u00f3n edit en el m\u00f3dulo user-user o la (5) acci\u00f3n editprofile en el archivo modcp.php."
}
],
"id": "CVE-2014-3827",
"lastModified": "2024-11-21T02:08:56.270",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-02-11T19:15:10.527",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "http://blog.mybb.com/2015/02/15/mybb-1-8-4-released-feature-update-security-maintenance-release/"
},
{
"source": "cve@mitre.org",
"tags": [
"Not Applicable"
],
"url": "https://adamziaja.com/poc/201312-xss-mybb.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "http://blog.mybb.com/2015/02/15/mybb-1-8-4-released-feature-update-security-maintenance-release/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Not Applicable"
],
"url": "https://adamziaja.com/poc/201312-xss-mybb.html"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2011-09-23 23:55
Modified
2025-04-11 00:51
Severity ?
Summary
MyBB (aka MyBulletinBoard) 1.6 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by inc/3rdparty/diff/Diff/ThreeWay.php and certain other files.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:mybb:1.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E5B50C36-C3D7-48FD-805B-4A94E727C93F",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "MyBB (aka MyBulletinBoard) 1.6 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by inc/3rdparty/diff/Diff/ThreeWay.php and certain other files."
},
{
"lang": "es",
"value": "MyBB (tambi\u00e9n conocido como MyBulletinBoard) v1.6 permite a atacantes remotos obtener informaci\u00f3n sensible a trav\u00e9s de una petici\u00f3n directa a un archivo .php, lo que revela la ruta de instalaci\u00f3n en un mensaje de error, como se demostr\u00f3 con inc/3rdparty/diff/Diff/ThreeWay.php y algunos otros archivos."
}
],
"id": "CVE-2011-3759",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2011-09-23T23:55:04.287",
"references": [
{
"source": "cve@mitre.org",
"url": "http://code.google.com/p/inspathx/source/browse/trunk/paths_vuln/%21_README"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://code.google.com/p/inspathx/source/browse/trunk/paths_vuln/mybb-1.6"
},
{
"source": "cve@mitre.org",
"url": "http://www.openwall.com/lists/oss-security/2011/06/27/6"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://code.google.com/p/inspathx/source/browse/trunk/paths_vuln/%21_README"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://code.google.com/p/inspathx/source/browse/trunk/paths_vuln/mybb-1.6"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2011/06/27/6"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-01-31 22:59
Modified
2025-04-20 01:37
Severity ?
Summary
SQL injection vulnerability in the users data handler in MyBB (aka MyBulletinBoard) before 1.8.8 and MyBB Merge System before 1.8.8 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://www.openwall.com/lists/oss-security/2016/11/10/8 | Mailing List, Patch, Third Party Advisory | |
| cve@mitre.org | http://www.openwall.com/lists/oss-security/2016/11/18/1 | Mailing List, Patch, Third Party Advisory | |
| cve@mitre.org | http://www.securityfocus.com/bid/94396 | Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://blog.mybb.com/2016/10/17/mybb-1-8-8-merge-system-1-8-8-release/ | Patch, Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2016/11/10/8 | Mailing List, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2016/11/18/1 | Mailing List, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/94396 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://blog.mybb.com/2016/10/17/mybb-1-8-8-merge-system-1-8-8-release/ | Patch, Release Notes, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mybb | merge_system | * | |
| mybb | mybb | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:merge_system:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FC4E25F3-7C9D-45E3-8330-961A56BC3C48",
"versionEndIncluding": "1.8.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "78D16782-41C7-4001-8DD1-C7A09B347733",
"versionEndIncluding": "1.8.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in the users data handler in MyBB (aka MyBulletinBoard) before 1.8.8 and MyBB Merge System before 1.8.8 allows remote attackers to execute arbitrary SQL commands via unspecified vectors."
},
{
"lang": "es",
"value": "Vulnerabilidad de inyecci\u00f3n SQL en el manejador de datos de usuarios en MyBB (tambi\u00e9n conocido como MyBulletinBoard) en versiones anteriores a 1.8.8 y MyBB Merge System en versiones anteriores a 1.8.8 permite a atacantes remotos ejecutar comandos SQL arbitrarios a trav\u00e9s de vectores no especificados."
}
],
"id": "CVE-2016-9416",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": true,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-01-31T22:59:01.580",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/10/8"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/18/1"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/94396"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Release Notes",
"Vendor Advisory"
],
"url": "https://blog.mybb.com/2016/10/17/mybb-1-8-8-merge-system-1-8-8-release/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/10/8"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/18/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/94396"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Release Notes",
"Vendor Advisory"
],
"url": "https://blog.mybb.com/2016/10/17/mybb-1-8-8-merge-system-1-8-8-release/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-04-06 16:59
Modified
2025-04-20 01:37
Severity ?
Summary
MyBB before 1.8.11 allows remote attackers to bypass an SSRF protection mechanism.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:mybb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EA5913D3-77D8-4093-9225-0B1BDE2A9B5B",
"versionEndIncluding": "1.8.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "MyBB before 1.8.11 allows remote attackers to bypass an SSRF protection mechanism."
},
{
"lang": "es",
"value": "MyBB en versiones anteriores a 1.8.11 permite a atacantes remotos evitar un mecanismo de protecci\u00f3n SSRF."
}
],
"id": "CVE-2017-7566",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 3.1,
"impactScore": 4.0,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-04-06T16:59:00.157",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/97480"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://blog.mybb.com/2017/04/04/mybb-1-8-11-merge-system-1-8-11-release/"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "https://github.com/mybb/mybb/commit/f5de8fc2aad11e0d2583f585535ccfa2b46325db#diff-7fe6e55397c77ab9a0f5d57bc4cbe5b9R6781"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory"
],
"url": "https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20170407-0_MyBB_SSRF_vulnerability_v10.txt"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/97480"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://blog.mybb.com/2017/04/04/mybb-1-8-11-merge-system-1-8-11-release/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/mybb/mybb/commit/f5de8fc2aad11e0d2583f585535ccfa2b46325db#diff-7fe6e55397c77ab9a0f5d57bc4cbe5b9R6781"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory"
],
"url": "https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20170407-0_MyBB_SSRF_vulnerability_v10.txt"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-918"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-01-31 22:59
Modified
2025-04-20 01:37
Severity ?
Summary
MyBB (aka MyBulletinBoard) before 1.6.18 and 1.8.x before 1.8.6 and MyBB Merge System before 1.8.6 allow remote attackers to obtain the installation path via vectors involving error log files.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://www.openwall.com/lists/oss-security/2016/11/10/8 | Third Party Advisory | |
| cve@mitre.org | http://www.openwall.com/lists/oss-security/2016/11/18/1 | Mailing List, Third Party Advisory | |
| cve@mitre.org | http://www.securityfocus.com/bid/94397 | Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://blog.mybb.com/2015/09/07/mybb-1-8-6-1-6-18-merge-system-1-8-6-release/ | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2016/11/10/8 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2016/11/18/1 | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/94397 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://blog.mybb.com/2015/09/07/mybb-1-8-6-1-6-18-merge-system-1-8-6-release/ | Release Notes, Vendor Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:merge_system:*:*:*:*:*:*:*:*",
"matchCriteriaId": "22907EC0-5A2D-4DCF-B887-8FA311B3D4E2",
"versionEndIncluding": "1.8.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2FF6F484-A280-45A6-BB5E-B923339B7109",
"versionEndIncluding": "1.6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E697D13C-5594-491B-B911-3B4BEA00AFCC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.8.1:*:*:*:*:*:*:*",
"matchCriteriaId": "00724054-858F-4322-8BE5-F6929CC2CAD8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.8.2:*:*:*:*:*:*:*",
"matchCriteriaId": "95998F68-1F16-4FEA-BDE3-957235D04881",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.8.3:*:*:*:*:*:*:*",
"matchCriteriaId": "927F9547-773B-4F2C-8870-AA3672EEC7CA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.8.4:*:*:*:*:*:*:*",
"matchCriteriaId": "6817FA9E-51B7-4ADE-86E2-E9F559A585EC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.8.5:*:*:*:*:*:*:*",
"matchCriteriaId": "667EFFF1-E5C1-4124-BD0B-D4244FAECE15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "MyBB (aka MyBulletinBoard) before 1.6.18 and 1.8.x before 1.8.6 and MyBB Merge System before 1.8.6 allow remote attackers to obtain the installation path via vectors involving error log files."
},
{
"lang": "es",
"value": "MyBB (tambi\u00e9n conocido como MyBulletinBoard) en versiones anteriores a 1.6.18 y 1.8.x en versiones anteriores a 1.8.6 y MyBB Merge System en versiones anteriores a 1.8.6 permiten a atacantes remotos obtener la ruta de instalaci\u00f3n a trav\u00e9s de vectores que involucran archivos de registro de errores."
}
],
"id": "CVE-2015-8977",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": true,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-01-31T22:59:00.297",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/10/8"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/18/1"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/94397"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://blog.mybb.com/2015/09/07/mybb-1-8-6-1-6-18-merge-system-1-8-6-release/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/10/8"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/18/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/94397"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://blog.mybb.com/2015/09/07/mybb-1-8-6-1-6-18-merge-system-1-8-6-release/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-532"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-01-31 22:59
Modified
2025-04-20 01:37
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in the Users module in the Admin control panel in MyBB (aka MyBulletinBoard) before 1.8.8 and MyBB Merge System before 1.8.8 might allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://www.openwall.com/lists/oss-security/2016/11/10/8 | Mailing List, Patch, Third Party Advisory | |
| cve@mitre.org | http://www.openwall.com/lists/oss-security/2016/11/18/1 | Mailing List, Patch, Third Party Advisory | |
| cve@mitre.org | http://www.securityfocus.com/bid/94396 | Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://blog.mybb.com/2016/10/17/mybb-1-8-8-merge-system-1-8-8-release/ | Patch, Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2016/11/10/8 | Mailing List, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2016/11/18/1 | Mailing List, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/94396 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://blog.mybb.com/2016/10/17/mybb-1-8-8-merge-system-1-8-8-release/ | Patch, Release Notes, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mybb | merge_system | * | |
| mybb | mybb | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:merge_system:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FC4E25F3-7C9D-45E3-8330-961A56BC3C48",
"versionEndIncluding": "1.8.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "78D16782-41C7-4001-8DD1-C7A09B347733",
"versionEndIncluding": "1.8.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the Users module in the Admin control panel in MyBB (aka MyBulletinBoard) before 1.8.8 and MyBB Merge System before 1.8.8 might allow remote attackers to inject arbitrary web script or HTML via unspecified vectors."
},
{
"lang": "es",
"value": "Vulnerabilidad de XSS en el m\u00f3dulo Users en el panel de control de Admin en MyBB (tambi\u00e9n conocido como MyBulletinBoard) en versiones anteriores a 1.8.8 y MyBB Merge System en versiones anteriores a 1.8.8 podr\u00edan permitir a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a trav\u00e9s de vectores no especificados."
}
],
"id": "CVE-2016-9421",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-01-31T22:59:01.750",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/10/8"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/18/1"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/94396"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Release Notes",
"Vendor Advisory"
],
"url": "https://blog.mybb.com/2016/10/17/mybb-1-8-8-merge-system-1-8-8-release/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/10/8"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/18/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/94396"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Release Notes",
"Vendor Advisory"
],
"url": "https://blog.mybb.com/2016/10/17/mybb-1-8-8-merge-system-1-8-8-release/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2006-01-26 22:03
Modified
2025-04-03 01:03
Severity ?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in usercp.php in MyBulletinBoard (MyBB) 1.02 allow remote attackers to inject arbitrary web script or HTML via the (1) notepad parameter in a notepad action and (2) signature parameter in an editsig action. NOTE: These are different attack vectors, and probably a different vulnerability, than CVE-2006-0218 and CVE-2006-0219.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:mybb:1.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "15DA7BAA-2E08-410F-B80E-0B1EC0B4EF46",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in usercp.php in MyBulletinBoard (MyBB) 1.02 allow remote attackers to inject arbitrary web script or HTML via the (1) notepad parameter in a notepad action and (2) signature parameter in an editsig action. NOTE: These are different attack vectors, and probably a different vulnerability, than CVE-2006-0218 and CVE-2006-0219."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades de XSS en usercp.php en MyBulletinBoard (MyBB) 1.02 permiten a atacantes remotos inyectar secuencias de comandos web o HTML a trav\u00e9s del (1) par\u00e1metro de bloc en una acci\u00f3n de bloc y (2) parametro de firma en una acci\u00f3n de edici\u00f3n. NOTA: Estos son diferentes tipos de ataque y, probablemente, una vulnerabilidad diferente a CVE-2006-0218 y CVE-2006-0219."
}
],
"id": "CVE-2006-0442",
"lastModified": "2025-04-03T01:03:51.193",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2006-01-26T22:03:00.000",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "http://kapda.ir/advisory-241.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/18603"
},
{
"source": "cve@mitre.org",
"url": "http://securitytracker.com/id?1015535"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/423128/100/0/threaded"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/16361"
},
{
"source": "cve@mitre.org",
"url": "http://www.vupen.com/english/advisories/2006/0316"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "http://kapda.ir/advisory-241.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/18603"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://securitytracker.com/id?1015535"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/423128/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/16361"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2006/0316"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-01-31 22:59
Modified
2025-04-20 01:37
Severity ?
Summary
The fetch_remote_file function in MyBB (aka MyBulletinBoard) before 1.8.8 and MyBB Merge System before 1.8.8 allows remote attackers to conduct server-side request forgery (SSRF) attacks via unspecified vectors.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://www.openwall.com/lists/oss-security/2016/11/10/8 | Mailing List, Patch, Third Party Advisory | |
| cve@mitre.org | http://www.openwall.com/lists/oss-security/2016/11/18/1 | Mailing List, Patch, Third Party Advisory | |
| cve@mitre.org | http://www.securityfocus.com/bid/94396 | Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://blog.mybb.com/2016/10/17/mybb-1-8-8-merge-system-1-8-8-release/ | Patch, Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2016/11/10/8 | Mailing List, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2016/11/18/1 | Mailing List, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/94396 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://blog.mybb.com/2016/10/17/mybb-1-8-8-merge-system-1-8-8-release/ | Patch, Release Notes, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mybb | merge_system | * | |
| mybb | mybb | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:merge_system:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FC4E25F3-7C9D-45E3-8330-961A56BC3C48",
"versionEndIncluding": "1.8.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "78D16782-41C7-4001-8DD1-C7A09B347733",
"versionEndIncluding": "1.8.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The fetch_remote_file function in MyBB (aka MyBulletinBoard) before 1.8.8 and MyBB Merge System before 1.8.8 allows remote attackers to conduct server-side request forgery (SSRF) attacks via unspecified vectors."
},
{
"lang": "es",
"value": "La funci\u00f3n fetch_remote_file en MyBB (tambi\u00e9n conocida como MyBulletinBoard) en versiones anteriores a 1.8.8 y MyBB Merge System en versiones anteriores a 1.8.8 permite a atacantes remotos llevar a cabo ataques de falsificaci\u00f3n de solicitud del lado del servidor (SSRF) a trav\u00e9s de vectores no especificados."
}
],
"id": "CVE-2016-9417",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 4.0,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-01-31T22:59:01.610",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/10/8"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/18/1"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/94396"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Release Notes",
"Vendor Advisory"
],
"url": "https://blog.mybb.com/2016/10/17/mybb-1-8-8-merge-system-1-8-8-release/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/10/8"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/18/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/94396"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Release Notes",
"Vendor Advisory"
],
"url": "https://blog.mybb.com/2016/10/17/mybb-1-8-8-merge-system-1-8-8-release/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-918"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2010-12-30 21:00
Modified
2025-04-11 00:51
Severity ?
Summary
MyBB (aka MyBulletinBoard) before 1.4.12 does not properly restrict uid values for group join requests, which allows remote attackers to cause a denial of service (resource consumption) by using guest access to submit join request forms for moderated groups, related to usercp.php and managegroup.php.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mybb | mybb | * | |
| mybb | mybb | 1.00 | |
| mybb | mybb | 1.01 | |
| mybb | mybb | 1.1.0 | |
| mybb | mybb | 1.1.1 | |
| mybb | mybb | 1.1.2 | |
| mybb | mybb | 1.1.3 | |
| mybb | mybb | 1.1.4 | |
| mybb | mybb | 1.1.5 | |
| mybb | mybb | 1.1.6 | |
| mybb | mybb | 1.1.7 | |
| mybb | mybb | 1.1.8 | |
| mybb | mybb | 1.02 | |
| mybb | mybb | 1.2 | |
| mybb | mybb | 1.2.0 | |
| mybb | mybb | 1.2.1 | |
| mybb | mybb | 1.2.2 | |
| mybb | mybb | 1.2.3 | |
| mybb | mybb | 1.2.4 | |
| mybb | mybb | 1.2.5 | |
| mybb | mybb | 1.2.6 | |
| mybb | mybb | 1.2.7 | |
| mybb | mybb | 1.2.8 | |
| mybb | mybb | 1.2.9 | |
| mybb | mybb | 1.2.10 | |
| mybb | mybb | 1.2.11 | |
| mybb | mybb | 1.2.12 | |
| mybb | mybb | 1.2.13 | |
| mybb | mybb | 1.03 | |
| mybb | mybb | 1.04 | |
| mybb | mybb | 1.4.0 | |
| mybb | mybb | 1.4.2 | |
| mybb | mybb | 1.4.3 | |
| mybb | mybb | 1.4.6 | |
| mybb | mybb | 1.4.8 | |
| mybb | mybb | 1.4.9 | |
| mybb | mybb | 1.4.10 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:mybb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AA9326ED-4299-46B9-B654-0BC7C5282903",
"versionEndIncluding": "1.4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.00:*:*:*:*:*:*:*",
"matchCriteriaId": "BD61D970-9363-4A75-A8DB-D0EBA2CF0D53",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.01:*:*:*:*:*:*:*",
"matchCriteriaId": "990E206E-5E2C-4A68-9FDF-CD47F7524054",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "CF143B59-5C78-4BF6-9368-5BCF427B4753",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "B16F6F07-F5A9-47BF-88ED-25F068B68CF6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "A8A46A48-1361-4DD3-B97D-4C4FC776D68A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "337D89AE-1B7A-4101-B1F7-DFEDF2369385",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "BE08AF25-EDB1-4DA1-B431-F0692858AAAA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "BF24E7BA-3144-4DBA-9613-A44FBE0822F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.6:*:*:*:*:*:*:*",
"matchCriteriaId": "029430A5-85BD-4258-B58D-F3DCBC625E5B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.7:*:*:*:*:*:*:*",
"matchCriteriaId": "4183DB7F-FAB3-4D90-AD87-31CA4150CFDD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.8:*:*:*:*:*:*:*",
"matchCriteriaId": "3E2B90B8-DC02-4C79-BD69-DEF79945C418",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.02:*:*:*:*:*:*:*",
"matchCriteriaId": "C5C52215-D236-4D1A-9E30-14B9676FB68A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "4E080342-93CD-4E74-AE60-5858738CE7F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B48D2EDF-86C2-475C-9476-E5A2D586CA0E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "B6725373-C229-4B57-BB1E-AF178E19DEB0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "36E4C84A-21D5-4C9A-85F8-45C9657CE6F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "C7E55085-E3E3-4BB8-A680-19A28D7E88F4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "AB01A9AA-AE70-46DF-815A-05D1101EE706",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "98AFD77B-A046-4AB9-B6F4-FFFF66C63C68",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.6:*:*:*:*:*:*:*",
"matchCriteriaId": "AA00D38E-AAF6-4F66-9203-5C074FC61F30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.7:*:*:*:*:*:*:*",
"matchCriteriaId": "137A8CED-BE82-462F-B83C-15F535961E74",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.8:*:*:*:*:*:*:*",
"matchCriteriaId": "D179FDB6-9B1D-438C-B512-9A5C4F869A4C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.9:*:*:*:*:*:*:*",
"matchCriteriaId": "B3E72A13-6B4A-4C7F-B8D9-A2D35E074B67",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.10:*:*:*:*:*:*:*",
"matchCriteriaId": "3A2D344F-4671-4194-A553-A5773B5DF3B1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.11:*:*:*:*:*:*:*",
"matchCriteriaId": "245760C8-DC10-47F1-843A-461AE2F3DF61",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.12:*:*:*:*:*:*:*",
"matchCriteriaId": "A055E6BF-3CAC-4C74-8E37-A89E3E0F8559",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.13:*:*:*:*:*:*:*",
"matchCriteriaId": "1121A071-3709-4B2B-ADF4-EDC560F73E0A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.03:*:*:*:*:*:*:*",
"matchCriteriaId": "F6ABDEE8-D463-47CA-998D-33472F3382F3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.04:*:*:*:*:*:*:*",
"matchCriteriaId": "DE44965F-F968-4CD2-9F21-1E1A92F5F7F2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "3FC8864E-161F-408E-93D6-693A9238C494",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "9503D6C2-DCBC-4720-BE29-34913950407E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.3:*:*:*:*:*:*:*",
"matchCriteriaId": "0F6FC2B1-45DF-439E-8BAE-A15A08E7D9F7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.6:*:*:*:*:*:*:*",
"matchCriteriaId": "B46B7E13-51F8-4950-BBB4-A03B8E5B4750",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.8:*:*:*:*:*:*:*",
"matchCriteriaId": "A00F1254-67DE-436D-AB83-1C55639BDBD2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.9:*:*:*:*:*:*:*",
"matchCriteriaId": "AC2FDC2B-2CB4-433F-9290-3A6BE0A929B5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.10:*:*:*:*:*:*:*",
"matchCriteriaId": "1FF9452B-CF4B-45F0-8487-23D9CCBB1A4A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "MyBB (aka MyBulletinBoard) before 1.4.12 does not properly restrict uid values for group join requests, which allows remote attackers to cause a denial of service (resource consumption) by using guest access to submit join request forms for moderated groups, related to usercp.php and managegroup.php."
},
{
"lang": "es",
"value": "MyBB (MyBulletinBoard) en versiones anteriores a la 1.4.12 no restringe apropiadamente los valores uid para peticiones de uni\u00f3n de grupo; lo que permite, a atacantes remotos, provocar una denegaci\u00f3n de servicio (consumo de todos los recursos) usando un acceso de invitado para enviar formularios de peticiones de uni\u00f3n para grupos moderados. Vulnerabilidad relacionada con usercp.php y managegroup.php."
}
],
"id": "CVE-2010-4629",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2010-12-30T21:00:02.690",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://blog.mybb.com/2010/04/13/mybb-1-4-12-released-security-maintenance-update/"
},
{
"source": "cve@mitre.org",
"url": "http://dev.mybboard.net/issues/722"
},
{
"source": "cve@mitre.org",
"url": "http://dev.mybboard.net/projects/mybb/repository/revisions/4856"
},
{
"source": "cve@mitre.org",
"url": "http://openwall.com/lists/oss-security/2010/10/08/7"
},
{
"source": "cve@mitre.org",
"url": "http://openwall.com/lists/oss-security/2010/10/11/8"
},
{
"source": "cve@mitre.org",
"url": "http://openwall.com/lists/oss-security/2010/12/06/2"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/64513"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://blog.mybb.com/2010/04/13/mybb-1-4-12-released-security-maintenance-update/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://dev.mybboard.net/issues/722"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://dev.mybboard.net/projects/mybb/repository/revisions/4856"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://openwall.com/lists/oss-security/2010/10/08/7"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://openwall.com/lists/oss-security/2010/10/11/8"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://openwall.com/lists/oss-security/2010/12/06/2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/64513"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-264"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2007-04-11 10:19
Modified
2025-04-09 00:30
Severity ?
Summary
SQL injection vulnerability in the create_session function in class_session.php in MyBB (aka MyBulletinBoard) 1.2.3 and earlier allows remote attackers to execute arbitrary SQL commands via the Client-IP HTTP header, as utilized by index.php, a related issue to CVE-2006-3775.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mybb | mybb | * | |
| mybulletinboard | mybulletinboard | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:mybb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B0EDA88C-D8F0-4914-8FC6-BB5C0D1E0D33",
"versionEndIncluding": "1.2.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybulletinboard:mybulletinboard:*:*:*:*:*:*:*:*",
"matchCriteriaId": "890AE1FD-307D-41A4-AF91-397EDAFFCF10",
"versionEndIncluding": "1.2.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in the create_session function in class_session.php in MyBB (aka MyBulletinBoard) 1.2.3 and earlier allows remote attackers to execute arbitrary SQL commands via the Client-IP HTTP header, as utilized by index.php, a related issue to CVE-2006-3775."
},
{
"lang": "es",
"value": "Vulnerabilidad de inyecci\u00f3n SQL en la funci\u00f3n create_session en class_session.php de MyBB (tambi\u00e9n conocido como MyBulletinBoard) 1.2.3 y anteriores permite a atacantes remotos ejecutar comandos sql de su elecci\u00f3n mediante la cabecera HTTP Client-IP, como ha sido utilizado por index.php, un asunto relacionado con CVE-2006-3775."
}
],
"id": "CVE-2007-1963",
"lastModified": "2025-04-09T00:30:58.490",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": true,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2007-04-11T10:19:00.000",
"references": [
{
"source": "cve@mitre.org",
"url": "http://community.mybboard.net/attachment.php?aid=5842"
},
{
"source": "cve@mitre.org",
"url": "http://community.mybboard.net/showthread.php?tid=18002"
},
{
"source": "cve@mitre.org",
"url": "http://osvdb.org/34657"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/24689"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/464563/100/0/threaded"
},
{
"source": "cve@mitre.org",
"url": "http://www.vupen.com/english/advisories/2007/1244"
},
{
"source": "cve@mitre.org",
"url": "https://www.exploit-db.com/exploits/3653"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://community.mybboard.net/attachment.php?aid=5842"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://community.mybboard.net/showthread.php?tid=18002"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://osvdb.org/34657"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/24689"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/464563/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2007/1244"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.exploit-db.com/exploits/3653"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2015-03-18 14:59
Modified
2025-04-12 10:46
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in the MyCode editor in MyBB (aka MyBulletinBoard) before 1.8.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:mybb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AEC41207-93E4-416F-9670-6AC626CF0700",
"versionEndIncluding": "1.8.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the MyCode editor in MyBB (aka MyBulletinBoard) before 1.8.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors."
},
{
"lang": "es",
"value": "Vulnerabilidad de XSS en el editor MyCode en MyBB (tambi\u00e9n conocido como MyBulletinBoard) anterior a 1.8.4 permite a atacantes remotos inyectar secuencias de comandos web arbitrarios o HTML a trav\u00e9s de vectores no especificados."
}
],
"id": "CVE-2015-2333",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2015-03-18T14:59:02.873",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://blog.mybb.com/2015/02/15/mybb-1-8-4-released-feature-update-security-maintenance-release/"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/73213"
},
{
"source": "cve@mitre.org",
"url": "http://www.securitytracker.com/id/1031953"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://blog.mybb.com/2015/02/15/mybb-1-8-4-released-feature-update-security-maintenance-release/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/73213"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securitytracker.com/id/1031953"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-01-31 22:59
Modified
2025-04-20 01:37
Severity ?
Summary
SQL injection vulnerability in the Group Promotions module in the admin control panel in MyBB (aka MyBulletinBoard) before 1.6.18 and 1.8.x before 1.8.6 and MyBB Merge System before 1.8.6 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://www.openwall.com/lists/oss-security/2016/11/10/8 | Third Party Advisory | |
| cve@mitre.org | http://www.openwall.com/lists/oss-security/2016/11/18/1 | Mailing List, Third Party Advisory | |
| cve@mitre.org | http://www.securityfocus.com/bid/94397 | Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://blog.mybb.com/2015/09/07/mybb-1-8-6-1-6-18-merge-system-1-8-6-release/ | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2016/11/10/8 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2016/11/18/1 | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/94397 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://blog.mybb.com/2015/09/07/mybb-1-8-6-1-6-18-merge-system-1-8-6-release/ | Release Notes, Vendor Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:merge_system:*:*:*:*:*:*:*:*",
"matchCriteriaId": "22907EC0-5A2D-4DCF-B887-8FA311B3D4E2",
"versionEndIncluding": "1.8.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2FF6F484-A280-45A6-BB5E-B923339B7109",
"versionEndIncluding": "1.6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E697D13C-5594-491B-B911-3B4BEA00AFCC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.8.1:*:*:*:*:*:*:*",
"matchCriteriaId": "00724054-858F-4322-8BE5-F6929CC2CAD8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.8.2:*:*:*:*:*:*:*",
"matchCriteriaId": "95998F68-1F16-4FEA-BDE3-957235D04881",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.8.3:*:*:*:*:*:*:*",
"matchCriteriaId": "927F9547-773B-4F2C-8870-AA3672EEC7CA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.8.4:*:*:*:*:*:*:*",
"matchCriteriaId": "6817FA9E-51B7-4ADE-86E2-E9F559A585EC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.8.5:*:*:*:*:*:*:*",
"matchCriteriaId": "667EFFF1-E5C1-4124-BD0B-D4244FAECE15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in the Group Promotions module in the admin control panel in MyBB (aka MyBulletinBoard) before 1.6.18 and 1.8.x before 1.8.6 and MyBB Merge System before 1.8.6 allows remote attackers to execute arbitrary SQL commands via unspecified vectors."
},
{
"lang": "es",
"value": "Vulnerabilidad de inyecci\u00f3n SQL en el m\u00f3dulo Group Promotions en el panel de control de administrador en MyBB (tambi\u00e9n conocido como MyBulletinBoard) en versiones anteriores a 1.6.18 y 1.8.x en versiones anteriores a 1.8.6 y MyBB Merge System en versiones anteriores a 1.8.6 permite a atacantes remotos ejecutar comandos SQL arbitrarios a trav\u00e9s de vectores no especificados."
}
],
"id": "CVE-2015-8974",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": true,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10.0,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 6.0,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-01-31T22:59:00.187",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/10/8"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/18/1"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/94397"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://blog.mybb.com/2015/09/07/mybb-1-8-6-1-6-18-merge-system-1-8-6-release/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/10/8"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/18/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/94397"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://blog.mybb.com/2015/09/07/mybb-1-8-6-1-6-18-merge-system-1-8-6-release/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-09-01 16:15
Modified
2024-11-21 05:13
Severity ?
Summary
Installer RCE on settings file write in MyBB before 1.8.22.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://mybb.com/versions/1.8.22/ | Release Notes | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mybb.com/versions/1.8.22/ | Release Notes |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:mybb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7B03E0B1-4D3E-48F1-BE5B-BCF4A338CC34",
"versionEndExcluding": "1.8.22",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Installer RCE on settings file write in MyBB before 1.8.22."
},
{
"lang": "es",
"value": "Instalador RCE en el archivo de configuraci\u00f3n de escritura en MyBB antes de 1.8.22."
}
],
"id": "CVE-2020-22612",
"lastModified": "2024-11-21T05:13:19.283",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-09-01T16:15:07.533",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Release Notes"
],
"url": "https://mybb.com/versions/1.8.22/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://mybb.com/versions/1.8.22/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-94"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2012-08-13 18:55
Modified
2025-04-11 00:51
Severity ?
Summary
SQL injection vulnerability in the User Inline Moderation feature in the Admin Control Panel (ACP) in MyBB (aka MyBulletinBoard) before 1.6.7 allows remote administrators to execute arbitrary SQL commands via unspecified vectors.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mybb | mybb | * | |
| mybb | mybb | 1.00 | |
| mybb | mybb | 1.0 | |
| mybb | mybb | 1.0 | |
| mybb | mybb | 1.0 | |
| mybb | mybb | 1.0 | |
| mybb | mybb | 1.0 | |
| mybb | mybb | 1.0 | |
| mybb | mybb | 1.0 | |
| mybb | mybb | 1.01 | |
| mybb | mybb | 1.1.0 | |
| mybb | mybb | 1.1.1 | |
| mybb | mybb | 1.1.2 | |
| mybb | mybb | 1.1.3 | |
| mybb | mybb | 1.1.4 | |
| mybb | mybb | 1.1.5 | |
| mybb | mybb | 1.1.6 | |
| mybb | mybb | 1.1.7 | |
| mybb | mybb | 1.1.8 | |
| mybb | mybb | 1.02 | |
| mybb | mybb | 1.2.0 | |
| mybb | mybb | 1.2.1 | |
| mybb | mybb | 1.2.2 | |
| mybb | mybb | 1.2.3 | |
| mybb | mybb | 1.2.4 | |
| mybb | mybb | 1.2.5 | |
| mybb | mybb | 1.2.6 | |
| mybb | mybb | 1.2.7 | |
| mybb | mybb | 1.2.8 | |
| mybb | mybb | 1.2.9 | |
| mybb | mybb | 1.2.10 | |
| mybb | mybb | 1.2.11 | |
| mybb | mybb | 1.2.12 | |
| mybb | mybb | 1.2.13 | |
| mybb | mybb | 1.2.14 | |
| mybb | mybb | 1.03 | |
| mybb | mybb | 1.3 | |
| mybb | mybb | 1.04 | |
| mybb | mybb | 1.4.0 | |
| mybb | mybb | 1.4.1 | |
| mybb | mybb | 1.4.2 | |
| mybb | mybb | 1.4.3 | |
| mybb | mybb | 1.4.4 | |
| mybb | mybb | 1.4.5 | |
| mybb | mybb | 1.4.6 | |
| mybb | mybb | 1.4.7 | |
| mybb | mybb | 1.4.8 | |
| mybb | mybb | 1.4.9 | |
| mybb | mybb | 1.4.10 | |
| mybb | mybb | 1.4.11 | |
| mybb | mybb | 1.4.12 | |
| mybb | mybb | 1.4.13 | |
| mybb | mybb | 1.4.14 | |
| mybb | mybb | 1.4.15 | |
| mybb | mybb | 1.4.16 | |
| mybb | mybb | 1.5.1 | |
| mybb | mybb | 1.5.2 | |
| mybb | mybb | 1.6.1 | |
| mybb | mybb | 1.6.2 | |
| mybb | mybb | 1.6.3 | |
| mybb | mybb | 1.6.4 | |
| mybb | mybb | 1.6.5 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:mybb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "ACDC3261-4AA6-48DD-AF97-EF346DBC3FDD",
"versionEndIncluding": "1.6.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.00:*:*:*:*:*:*:*",
"matchCriteriaId": "BD61D970-9363-4A75-A8DB-D0EBA2CF0D53",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.0:beta4:*:*:*:*:*:*",
"matchCriteriaId": "C14F8B95-1A33-4DA8-8DE4-35C7DC3590CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.0:pr1:*:*:*:*:*:*",
"matchCriteriaId": "CD7728CD-1FA0-4428-B3FC-883781A699CD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.0:pr2:*:*:*:*:*:*",
"matchCriteriaId": "0883675F-9442-49E7-8471-C205B7EA201D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "B85E419B-F9D3-4839-A15C-F22BF9DABFAC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "EAB8B860-71DC-4F45-9E2A-74BD1C2ED893",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "C67749DF-F8AF-4C88-A120-0F48307C58E1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.0:rc4:*:*:*:*:*:*",
"matchCriteriaId": "FD0820A0-5D85-446F-9B7E-F8DB258A1178",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.01:*:*:*:*:*:*:*",
"matchCriteriaId": "990E206E-5E2C-4A68-9FDF-CD47F7524054",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "CF143B59-5C78-4BF6-9368-5BCF427B4753",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "B16F6F07-F5A9-47BF-88ED-25F068B68CF6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "A8A46A48-1361-4DD3-B97D-4C4FC776D68A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "337D89AE-1B7A-4101-B1F7-DFEDF2369385",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "BE08AF25-EDB1-4DA1-B431-F0692858AAAA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "BF24E7BA-3144-4DBA-9613-A44FBE0822F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.6:*:*:*:*:*:*:*",
"matchCriteriaId": "029430A5-85BD-4258-B58D-F3DCBC625E5B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.7:*:*:*:*:*:*:*",
"matchCriteriaId": "4183DB7F-FAB3-4D90-AD87-31CA4150CFDD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.8:*:*:*:*:*:*:*",
"matchCriteriaId": "3E2B90B8-DC02-4C79-BD69-DEF79945C418",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.02:*:*:*:*:*:*:*",
"matchCriteriaId": "C5C52215-D236-4D1A-9E30-14B9676FB68A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B48D2EDF-86C2-475C-9476-E5A2D586CA0E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "B6725373-C229-4B57-BB1E-AF178E19DEB0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "36E4C84A-21D5-4C9A-85F8-45C9657CE6F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "C7E55085-E3E3-4BB8-A680-19A28D7E88F4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "AB01A9AA-AE70-46DF-815A-05D1101EE706",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "98AFD77B-A046-4AB9-B6F4-FFFF66C63C68",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.6:*:*:*:*:*:*:*",
"matchCriteriaId": "AA00D38E-AAF6-4F66-9203-5C074FC61F30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.7:*:*:*:*:*:*:*",
"matchCriteriaId": "137A8CED-BE82-462F-B83C-15F535961E74",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.8:*:*:*:*:*:*:*",
"matchCriteriaId": "D179FDB6-9B1D-438C-B512-9A5C4F869A4C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.9:*:*:*:*:*:*:*",
"matchCriteriaId": "B3E72A13-6B4A-4C7F-B8D9-A2D35E074B67",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.10:*:*:*:*:*:*:*",
"matchCriteriaId": "3A2D344F-4671-4194-A553-A5773B5DF3B1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.11:*:*:*:*:*:*:*",
"matchCriteriaId": "245760C8-DC10-47F1-843A-461AE2F3DF61",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.12:*:*:*:*:*:*:*",
"matchCriteriaId": "A055E6BF-3CAC-4C74-8E37-A89E3E0F8559",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.13:*:*:*:*:*:*:*",
"matchCriteriaId": "1121A071-3709-4B2B-ADF4-EDC560F73E0A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.14:*:*:*:*:*:*:*",
"matchCriteriaId": "71FD2842-7E00-440F-8A93-9D3F45A004DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.03:*:*:*:*:*:*:*",
"matchCriteriaId": "F6ABDEE8-D463-47CA-998D-33472F3382F3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.3:pre-1.0:*:*:*:*:*:*",
"matchCriteriaId": "16C45BFE-A083-4DC8-A2E5-9BCE543F5AE4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.04:*:*:*:*:*:*:*",
"matchCriteriaId": "DE44965F-F968-4CD2-9F21-1E1A92F5F7F2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "3FC8864E-161F-408E-93D6-693A9238C494",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "4C5965DE-D9B6-4074-B14B-ABCAAAAB872B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "9503D6C2-DCBC-4720-BE29-34913950407E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.3:*:*:*:*:*:*:*",
"matchCriteriaId": "0F6FC2B1-45DF-439E-8BAE-A15A08E7D9F7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.4:*:*:*:*:*:*:*",
"matchCriteriaId": "853E94FE-A56F-44B0-87FE-DE5927B7A547",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.5:*:*:*:*:*:*:*",
"matchCriteriaId": "49C7F758-9E38-4870-85C3-11E350F96641",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.6:*:*:*:*:*:*:*",
"matchCriteriaId": "B46B7E13-51F8-4950-BBB4-A03B8E5B4750",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.7:*:*:*:*:*:*:*",
"matchCriteriaId": "58C9C804-6901-412C-B178-183417BD5C04",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.8:*:*:*:*:*:*:*",
"matchCriteriaId": "A00F1254-67DE-436D-AB83-1C55639BDBD2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.9:*:*:*:*:*:*:*",
"matchCriteriaId": "AC2FDC2B-2CB4-433F-9290-3A6BE0A929B5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.10:*:*:*:*:*:*:*",
"matchCriteriaId": "1FF9452B-CF4B-45F0-8487-23D9CCBB1A4A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.11:*:*:*:*:*:*:*",
"matchCriteriaId": "2021275B-D61A-4309-8876-5354E115CB29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.12:*:*:*:*:*:*:*",
"matchCriteriaId": "7925DEA1-8062-45C9-94E7-19D8FACEAFCD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.13:*:*:*:*:*:*:*",
"matchCriteriaId": "D35E537F-0F49-40AB-9E97-7898D91353D1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.14:*:*:*:*:*:*:*",
"matchCriteriaId": "BCDC1181-A2B7-4D1B-B2BF-DAC9E58E88C3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.15:*:*:*:*:*:*:*",
"matchCriteriaId": "57C37D10-B945-4674-A846-BCEC573FF93C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.16:*:*:*:*:*:*:*",
"matchCriteriaId": "4FD245B9-1381-4A1B-AF47-F28349FA6F52",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "2AFD7848-56E4-4608-82E7-CFF46A8809AC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "CC489F94-3545-4E1A-AE9E-B88EB1A7D516",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.6.1:*:*:*:*:*:*:*",
"matchCriteriaId": "FBEB75D4-FAA4-4A5B-AA0A-57EE8EE88E61",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.6.2:*:*:*:*:*:*:*",
"matchCriteriaId": "00E51ABC-9F77-4028-BE47-D5BFD4FEC749",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.6.3:*:*:*:*:*:*:*",
"matchCriteriaId": "E0BD20D9-0DFC-451F-9C71-38C6D0236CF2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.6.4:*:*:*:*:*:*:*",
"matchCriteriaId": "FDFE35CB-05CC-4E6F-B188-1141773E7F10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.6.5:*:*:*:*:*:*:*",
"matchCriteriaId": "22A90F66-DAE9-45FC-B255-390D569CCC56",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in the User Inline Moderation feature in the Admin Control Panel (ACP) in MyBB (aka MyBulletinBoard) before 1.6.7 allows remote administrators to execute arbitrary SQL commands via unspecified vectors."
},
{
"lang": "es",
"value": "Vulnerabilidad de inyecci\u00f3n SQL en la funcionalidad \u0027User Inline Moderation\u0027 en el panel de control de administraci\u00f3n (ACP) en MyBB (alias MyBulletinBoard) antes de v1.6.7 permite a los administradores remotos ejecutar comandos SQL a trav\u00e9s de vectores no especificados.\r\n"
}
],
"id": "CVE-2012-2325",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2012-08-13T18:55:03.520",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://blog.mybb.com/2012/04/01/mybb-1-6-7-update-1-8-development/"
},
{
"source": "secalert@redhat.com",
"url": "http://www.openwall.com/lists/oss-security/2012/05/07/13"
},
{
"source": "secalert@redhat.com",
"url": "http://www.openwall.com/lists/oss-security/2012/05/07/14"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/bid/53417"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://blog.mybb.com/2012/04/01/mybb-1-6-7-update-1-8-development/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2012/05/07/13"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2012/05/07/14"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/53417"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-04-17 22:15
Modified
2025-04-24 14:13
Severity ?
Summary
An issue in MyBB 1.8.38 allows a remote attacker to obtain sensitive information via the Import a Theme function. NOTE: the Supplier disputes this because of the allowed actions of Board administrators and because of SSRF mitigation.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://docs.mybb.com/1.8/administration/security/protection/#limit-access-to-private-hosts-and-ip-addresses | Mitigation, Product | |
| cve@mitre.org | https://www.yuque.com/morysummer/vx41bz/vro4dvxzuiwlg6uv | Exploit, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:mybb:1.8.38:*:*:*:*:*:*:*",
"matchCriteriaId": "07E2BC41-5325-4F85-9235-61FF5CA894D1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [
{
"sourceIdentifier": "cve@mitre.org",
"tags": [
"disputed"
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue in MyBB 1.8.38 allows a remote attacker to obtain sensitive information via the Import a Theme function. NOTE: the Supplier disputes this because of the allowed actions of Board administrators and because of SSRF mitigation."
},
{
"lang": "es",
"value": "Un problema en MyBB 1.8.38 permite que un atacante remoto obtenga informaci\u00f3n confidencial a trav\u00e9s de la funci\u00f3n Importar un tema."
}
],
"id": "CVE-2025-29457",
"lastModified": "2025-04-24T14:13:52.253",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 4.7,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2025-04-17T22:15:15.183",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Mitigation",
"Product"
],
"url": "https://docs.mybb.com/1.8/administration/security/protection/#limit-access-to-private-hosts-and-ip-addresses"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.yuque.com/morysummer/vx41bz/vro4dvxzuiwlg6uv"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-918"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-04-24 18:59
Modified
2025-04-20 01:37
Severity ?
Summary
In MyBB before 1.8.11, the smilie module allows Directory Traversal via the pathfolder parameter.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://seclists.org/fulldisclosure/2017/Apr/55 | Exploit, Mailing List, Third Party Advisory, VDB Entry | |
| cve@mitre.org | http://www.securityfocus.com/bid/98045 | Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://blog.mybb.com/2017/04/04/mybb-1-8-11-merge-system-1-8-11-release/ | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://seclists.org/fulldisclosure/2017/Apr/55 | Exploit, Mailing List, Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/98045 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://blog.mybb.com/2017/04/04/mybb-1-8-11-merge-system-1-8-11-release/ | Patch, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:mybb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EA5913D3-77D8-4093-9225-0B1BDE2A9B5B",
"versionEndIncluding": "1.8.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In MyBB before 1.8.11, the smilie module allows Directory Traversal via the pathfolder parameter."
},
{
"lang": "es",
"value": "En MyBB en versiones anteriores a 1.8.11, el m\u00f3dulo smilie permite Salto de Directorio a trav\u00e9s del par\u00e1metro pathfolder."
}
],
"id": "CVE-2017-8104",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-04-24T18:59:00.867",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Mailing List",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://seclists.org/fulldisclosure/2017/Apr/55"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/98045"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://blog.mybb.com/2017/04/04/mybb-1-8-11-merge-system-1-8-11-release/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Mailing List",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://seclists.org/fulldisclosure/2017/Apr/55"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/98045"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://blog.mybb.com/2017/04/04/mybb-1-8-11-merge-system-1-8-11-release/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-06-02 16:15
Modified
2025-07-02 15:14
Severity ?
Summary
MyBB is free and open source forum software. Prior to version 1.8.39, the search component does not validate permissions correctly, which allows attackers to determine the existence of hidden (draft, unapproved, or soft-deleted) threads containing specified text in the title. The visibility state (`mybb_threads.visible` integer column) of threads is not validated in internal search queries, whose result is used to output a general success or failure of the search. While MyBB validates permissions when displaying the final search results, a search operation that internally produces at least one result outputs a redirect response (as a HTTP redirect, or a success message page with delayed redirect, depending on configuration). On the other hand, a search operation that internally produces no results outputs a corresponding message in the response without a redirect. This allows a user to determine whether threads matching title search parameters exist, including draft threads (`visible` with a value of `-2`), soft-deleted threads (`visible` with a value of `-1`), and unapproved threads (`visible` with a value of `0`); in addition to displaying generally visible threads (`visible` with a value of `1`). This vulnerability does not affect other layers of permissions. In order to exploit the vulnerability, the user must have access to the search functionality, and general access to forums containing the thread(s). The vulnerability does not expose the message content of posts. MyBB 1.8.39 resolves this issue.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:mybb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C6445406-D542-43F3-97A5-BB4BDC20E2FA",
"versionEndExcluding": "1.8.39",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "MyBB is free and open source forum software. Prior to version 1.8.39, the search component does not validate permissions correctly, which allows attackers to determine the existence of hidden (draft, unapproved, or soft-deleted) threads containing specified text in the title. The visibility state (`mybb_threads.visible` integer column) of threads is not validated in internal search queries, whose result is used to output a general success or failure of the search. While MyBB validates permissions when displaying the final search results, a search operation that internally produces at least one result outputs a redirect response (as a HTTP redirect, or a success message page with delayed redirect, depending on configuration). On the other hand, a search operation that internally produces no results outputs a corresponding message in the response without a redirect. This allows a user to determine whether threads matching title search parameters exist, including draft threads (`visible` with a value of `-2`), soft-deleted threads (`visible` with a value of `-1`), and unapproved threads (`visible` with a value of `0`); in addition to displaying generally visible threads (`visible` with a value of `1`). This vulnerability does not affect other layers of permissions. In order to exploit the vulnerability, the user must have access to the search functionality, and general access to forums containing the thread(s). The vulnerability does not expose the message content of posts. MyBB 1.8.39 resolves this issue."
},
{
"lang": "es",
"value": "MyBB es un software de foro gratuito y de c\u00f3digo abierto. Antes de la versi\u00f3n 1.8.39, el componente de b\u00fasqueda no validaba correctamente los permisos, lo que permit\u00eda a los atacantes determinar la existencia de hilos ocultos (borradores, no aprobados o eliminados temporalmente) que conten\u00edan el texto especificado en el t\u00edtulo. El estado de visibilidad (columna entera `mybb_threads.visible`) de los hilos no se valida en las consultas de b\u00fasqueda internas, cuyo resultado se utiliza para indicar si la b\u00fasqueda se ha realizado correctamente o no. Si bien MyBB valida los permisos al mostrar los resultados finales de la b\u00fasqueda, una operaci\u00f3n de b\u00fasqueda que produce internamente al menos un resultado genera una respuesta de redirecci\u00f3n (como una redirecci\u00f3n HTTP o una p\u00e1gina de mensaje de \u00e9xito con redirecci\u00f3n retrasada, seg\u00fan la configuraci\u00f3n). Por otro lado, una operaci\u00f3n de b\u00fasqueda que no produce resultados internamente genera un mensaje correspondiente en la respuesta sin redirecci\u00f3n. Esto permite al usuario determinar si existen hilos que coinciden con los par\u00e1metros de b\u00fasqueda de t\u00edtulo, incluyendo borradores (visibles con un valor de -2), hilos eliminados temporalmente (visibles con un valor de -1) e hilos no aprobados (visibles con un valor de 0); adem\u00e1s de mostrar hilos visibles (visibles con un valor de 1). Esta vulnerabilidad no afecta a otras capas de permisos. Para explotarla, el usuario debe tener acceso a la funci\u00f3n de b\u00fasqueda y acceso general a los foros que contienen los hilos. La vulnerabilidad no expone el contenido de los mensajes. MyBB 1.8.39 soluciona este problema."
}
],
"id": "CVE-2025-48941",
"lastModified": "2025-07-02T15:14:30.267",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2025-06-02T16:15:30.223",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/mybb/mybb/commit/b8cc332a27e145c33effaccec90e23c103ae5193"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/mybb/mybb/security/advisories/GHSA-f847-57xc-ffwr"
},
{
"source": "security-advisories@github.com",
"tags": [
"Product",
"Release Notes"
],
"url": "https://mybb.com/versions/1.8.39"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-1230"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2008-01-22 20:00
Modified
2025-04-09 00:30
Severity ?
Summary
Multiple SQL injection vulnerabilities in MyBB 1.2.10 and earlier allow remote moderators and administrators to execute arbitrary SQL commands via (1) the mergepost parameter in a do_mergeposts action, (2) rid parameter in an allreports action, or (3) threads parameter in a do_multimovethreads action to (a) moderation.php; or (4) gid parameter to (b) admin/usergroups.php.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:mybb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9002DF3E-BDC7-4653-8C32-EC20CAFD436D",
"versionEndIncluding": "1.2.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple SQL injection vulnerabilities in MyBB 1.2.10 and earlier allow remote moderators and administrators to execute arbitrary SQL commands via (1) the mergepost parameter in a do_mergeposts action, (2) rid parameter in an allreports action, or (3) threads parameter in a do_multimovethreads action to (a) moderation.php; or (4) gid parameter to (b) admin/usergroups.php."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades de inyecci\u00f3n SQL en MyBB 1.2.10 y anteriores permite a moderadores remotos y administradores ejecutar comnandos SQL a trav\u00e9s del par\u00e1metros (1)mergepost en una acci\u00f3n do_mergepostsm (2) par\u00e1metro rid en una acci\u00f3n allreports, o (3) par\u00e1metro threads en una acci\u00f3n do_multimovethreads en (a) moderation.php; o par\u00e1metro (4)gid en (b) admin/usergroups.php."
}
],
"id": "CVE-2008-0383",
"lastModified": "2025-04-09T00:30:58.490",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": true,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2008-01-22T20:00:00.000",
"references": [
{
"source": "cve@mitre.org",
"url": "http://community.mybboard.net/showthread.php?tid=27227"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/28509"
},
{
"source": "cve@mitre.org",
"url": "http://securityreason.com/securityalert/3558"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/486433/100/0/threaded"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Patch"
],
"url": "http://www.securityfocus.com/bid/27323"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://www.waraxe.us/advisory-62.html"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/39728"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/39729"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://community.mybboard.net/showthread.php?tid=27227"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/28509"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://securityreason.com/securityalert/3558"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/486433/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch"
],
"url": "http://www.securityfocus.com/bid/27323"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.waraxe.us/advisory-62.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/39728"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/39729"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2012-08-13 23:55
Modified
2025-04-11 00:51
Severity ?
Summary
Multiple SQL injection vulnerabilities in MyBB (aka MyBulletinBoard) before 1.6.1 allow remote attackers to execute arbitrary SQL commands via the keywords parameter in a (1) do_search action to search.php or (2) do_stuff action to private.php. NOTE: the vendor disputes this issue, saying "Although this doesn't lead to an SQL injection, it does provide a general MyBB SQL error.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mybb | mybb | * | |
| mybb | mybb | 1.00 | |
| mybb | mybb | 1.0 | |
| mybb | mybb | 1.0 | |
| mybb | mybb | 1.0 | |
| mybb | mybb | 1.0 | |
| mybb | mybb | 1.0 | |
| mybb | mybb | 1.0 | |
| mybb | mybb | 1.0 | |
| mybb | mybb | 1.01 | |
| mybb | mybb | 1.1.0 | |
| mybb | mybb | 1.1.1 | |
| mybb | mybb | 1.1.2 | |
| mybb | mybb | 1.1.3 | |
| mybb | mybb | 1.1.4 | |
| mybb | mybb | 1.1.5 | |
| mybb | mybb | 1.1.6 | |
| mybb | mybb | 1.1.7 | |
| mybb | mybb | 1.1.8 | |
| mybb | mybb | 1.02 | |
| mybb | mybb | 1.2 | |
| mybb | mybb | 1.2.0 | |
| mybb | mybb | 1.2.1 | |
| mybb | mybb | 1.2.2 | |
| mybb | mybb | 1.2.3 | |
| mybb | mybb | 1.2.4 | |
| mybb | mybb | 1.2.5 | |
| mybb | mybb | 1.2.6 | |
| mybb | mybb | 1.2.7 | |
| mybb | mybb | 1.2.8 | |
| mybb | mybb | 1.2.9 | |
| mybb | mybb | 1.2.10 | |
| mybb | mybb | 1.2.11 | |
| mybb | mybb | 1.2.12 | |
| mybb | mybb | 1.2.13 | |
| mybb | mybb | 1.2.14 | |
| mybb | mybb | 1.03 | |
| mybb | mybb | 1.3 | |
| mybb | mybb | 1.04 | |
| mybb | mybb | 1.4.0 | |
| mybb | mybb | 1.4.1 | |
| mybb | mybb | 1.4.2 | |
| mybb | mybb | 1.4.3 | |
| mybb | mybb | 1.4.4 | |
| mybb | mybb | 1.4.5 | |
| mybb | mybb | 1.4.6 | |
| mybb | mybb | 1.4.7 | |
| mybb | mybb | 1.4.8 | |
| mybb | mybb | 1.4.9 | |
| mybb | mybb | 1.4.10 | |
| mybb | mybb | 1.4.11 | |
| mybb | mybb | 1.4.12 | |
| mybb | mybb | 1.4.13 | |
| mybb | mybb | 1.4.14 | |
| mybb | mybb | 1.4.15 | |
| mybb | mybb | 1.4.16 | |
| mybb | mybb | 1.5.1 | |
| mybb | mybb | 1.5.2 | |
| mybboard | mybb | 1.4.3 | |
| mybboard | mybb | 1.4.10 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:mybb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D53879AD-6CE7-4A7C-B5C3-EE6C3101D773",
"versionEndIncluding": "1.6.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.00:*:*:*:*:*:*:*",
"matchCriteriaId": "BD61D970-9363-4A75-A8DB-D0EBA2CF0D53",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.0:beta4:*:*:*:*:*:*",
"matchCriteriaId": "C14F8B95-1A33-4DA8-8DE4-35C7DC3590CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.0:pr1:*:*:*:*:*:*",
"matchCriteriaId": "CD7728CD-1FA0-4428-B3FC-883781A699CD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.0:pr2:*:*:*:*:*:*",
"matchCriteriaId": "0883675F-9442-49E7-8471-C205B7EA201D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "B85E419B-F9D3-4839-A15C-F22BF9DABFAC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "EAB8B860-71DC-4F45-9E2A-74BD1C2ED893",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "C67749DF-F8AF-4C88-A120-0F48307C58E1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.0:rc4:*:*:*:*:*:*",
"matchCriteriaId": "FD0820A0-5D85-446F-9B7E-F8DB258A1178",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.01:*:*:*:*:*:*:*",
"matchCriteriaId": "990E206E-5E2C-4A68-9FDF-CD47F7524054",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "CF143B59-5C78-4BF6-9368-5BCF427B4753",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "B16F6F07-F5A9-47BF-88ED-25F068B68CF6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "A8A46A48-1361-4DD3-B97D-4C4FC776D68A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "337D89AE-1B7A-4101-B1F7-DFEDF2369385",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "BE08AF25-EDB1-4DA1-B431-F0692858AAAA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "BF24E7BA-3144-4DBA-9613-A44FBE0822F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.6:*:*:*:*:*:*:*",
"matchCriteriaId": "029430A5-85BD-4258-B58D-F3DCBC625E5B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.7:*:*:*:*:*:*:*",
"matchCriteriaId": "4183DB7F-FAB3-4D90-AD87-31CA4150CFDD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.8:*:*:*:*:*:*:*",
"matchCriteriaId": "3E2B90B8-DC02-4C79-BD69-DEF79945C418",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.02:*:*:*:*:*:*:*",
"matchCriteriaId": "C5C52215-D236-4D1A-9E30-14B9676FB68A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "4E080342-93CD-4E74-AE60-5858738CE7F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B48D2EDF-86C2-475C-9476-E5A2D586CA0E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "B6725373-C229-4B57-BB1E-AF178E19DEB0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "36E4C84A-21D5-4C9A-85F8-45C9657CE6F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "C7E55085-E3E3-4BB8-A680-19A28D7E88F4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "AB01A9AA-AE70-46DF-815A-05D1101EE706",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "98AFD77B-A046-4AB9-B6F4-FFFF66C63C68",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.6:*:*:*:*:*:*:*",
"matchCriteriaId": "AA00D38E-AAF6-4F66-9203-5C074FC61F30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.7:*:*:*:*:*:*:*",
"matchCriteriaId": "137A8CED-BE82-462F-B83C-15F535961E74",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.8:*:*:*:*:*:*:*",
"matchCriteriaId": "D179FDB6-9B1D-438C-B512-9A5C4F869A4C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.9:*:*:*:*:*:*:*",
"matchCriteriaId": "B3E72A13-6B4A-4C7F-B8D9-A2D35E074B67",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.10:*:*:*:*:*:*:*",
"matchCriteriaId": "3A2D344F-4671-4194-A553-A5773B5DF3B1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.11:*:*:*:*:*:*:*",
"matchCriteriaId": "245760C8-DC10-47F1-843A-461AE2F3DF61",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.12:*:*:*:*:*:*:*",
"matchCriteriaId": "A055E6BF-3CAC-4C74-8E37-A89E3E0F8559",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.13:*:*:*:*:*:*:*",
"matchCriteriaId": "1121A071-3709-4B2B-ADF4-EDC560F73E0A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.14:*:*:*:*:*:*:*",
"matchCriteriaId": "71FD2842-7E00-440F-8A93-9D3F45A004DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.03:*:*:*:*:*:*:*",
"matchCriteriaId": "F6ABDEE8-D463-47CA-998D-33472F3382F3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.3:pre-1.0:*:*:*:*:*:*",
"matchCriteriaId": "16C45BFE-A083-4DC8-A2E5-9BCE543F5AE4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.04:*:*:*:*:*:*:*",
"matchCriteriaId": "DE44965F-F968-4CD2-9F21-1E1A92F5F7F2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "3FC8864E-161F-408E-93D6-693A9238C494",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "4C5965DE-D9B6-4074-B14B-ABCAAAAB872B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "9503D6C2-DCBC-4720-BE29-34913950407E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.3:*:*:*:*:*:*:*",
"matchCriteriaId": "0F6FC2B1-45DF-439E-8BAE-A15A08E7D9F7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.4:*:*:*:*:*:*:*",
"matchCriteriaId": "853E94FE-A56F-44B0-87FE-DE5927B7A547",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.5:*:*:*:*:*:*:*",
"matchCriteriaId": "49C7F758-9E38-4870-85C3-11E350F96641",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.6:*:*:*:*:*:*:*",
"matchCriteriaId": "B46B7E13-51F8-4950-BBB4-A03B8E5B4750",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.7:*:*:*:*:*:*:*",
"matchCriteriaId": "58C9C804-6901-412C-B178-183417BD5C04",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.8:*:*:*:*:*:*:*",
"matchCriteriaId": "A00F1254-67DE-436D-AB83-1C55639BDBD2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.9:*:*:*:*:*:*:*",
"matchCriteriaId": "AC2FDC2B-2CB4-433F-9290-3A6BE0A929B5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.10:*:*:*:*:*:*:*",
"matchCriteriaId": "1FF9452B-CF4B-45F0-8487-23D9CCBB1A4A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.11:*:*:*:*:*:*:*",
"matchCriteriaId": "2021275B-D61A-4309-8876-5354E115CB29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.12:*:*:*:*:*:*:*",
"matchCriteriaId": "7925DEA1-8062-45C9-94E7-19D8FACEAFCD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.13:*:*:*:*:*:*:*",
"matchCriteriaId": "D35E537F-0F49-40AB-9E97-7898D91353D1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.14:*:*:*:*:*:*:*",
"matchCriteriaId": "BCDC1181-A2B7-4D1B-B2BF-DAC9E58E88C3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.15:*:*:*:*:*:*:*",
"matchCriteriaId": "57C37D10-B945-4674-A846-BCEC573FF93C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.16:*:*:*:*:*:*:*",
"matchCriteriaId": "4FD245B9-1381-4A1B-AF47-F28349FA6F52",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "2AFD7848-56E4-4608-82E7-CFF46A8809AC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "CC489F94-3545-4E1A-AE9E-B88EB1A7D516",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybboard:mybb:1.4.3:*:*:*:*:*:*:*",
"matchCriteriaId": "D51785C1-C278-4302-A747-64246BE6F920",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybboard:mybb:1.4.10:*:*:*:*:*:*:*",
"matchCriteriaId": "24CD2FC7-005C-455E-9D71-719DD571741C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [
{
"sourceIdentifier": "secalert@redhat.com",
"tags": [
"disputed"
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Multiple SQL injection vulnerabilities in MyBB (aka MyBulletinBoard) before 1.6.1 allow remote attackers to execute arbitrary SQL commands via the keywords parameter in a (1) do_search action to search.php or (2) do_stuff action to private.php. NOTE: the vendor disputes this issue, saying \"Although this doesn\u0027t lead to an SQL injection, it does provide a general MyBB SQL error."
},
{
"lang": "es",
"value": "** EN DISPUTA ** M\u00faltiples vulnerabilidades de inyecci\u00f3n SQL en MyBB (tambi\u00e9n conocido como MyBulletinBoard) antes de v1.6.1 permite a atacantes remotos ejecutar comandos SQL a trav\u00e9s del par\u00e1metro \u0027keywords\u0027 de una acci\u00f3n (1) do_search a search.php o (2) una acci\u00f3n do_stuff a private.php. NOTA: El vendedor rechaza este problema diciendo que \"...aunque esto no conduce a una inyecci\u00f3n de SQL, s\u00ed que provoca un error de gen\u00e9rico de MyBB de SQL Server\".\r\n"
}
],
"id": "CVE-2010-5096",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2012-08-13T23:55:00.850",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://dev.mybb.com/issues/1330"
},
{
"source": "secalert@redhat.com",
"url": "http://www.openwall.com/lists/oss-security/2012/03/23/4"
},
{
"source": "secalert@redhat.com",
"url": "http://www.openwall.com/lists/oss-security/2012/03/25/1"
},
{
"source": "secalert@redhat.com",
"url": "http://www.openwall.com/lists/oss-security/2012/05/08/3"
},
{
"source": "secalert@redhat.com",
"url": "http://www.openwall.com/lists/oss-security/2012/05/08/7"
},
{
"source": "secalert@redhat.com",
"url": "http://www.osvdb.org/70013"
},
{
"source": "secalert@redhat.com",
"url": "http://www.osvdb.org/70014"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/bid/45565"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://dev.mybb.com/issues/1330"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2012/03/23/4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2012/03/25/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2012/05/08/3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2012/05/08/7"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.osvdb.org/70013"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.osvdb.org/70014"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/45565"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-08-10 22:15
Modified
2024-11-21 05:04
Severity ?
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
In MyBB before version 1.8.24, the custom MyCode (BBCode) for the visual editor doesn't escape input properly when rendering HTML, resulting in a DOM-based XSS vulnerability. The weakness can be exploited by pointing a victim to a page where the visual editor is active (e.g. as a post or Private Message) and operates on a maliciously crafted MyCode message. This may occur on pages where message content is pre-filled using a GET/POST parameter, or on reply pages where a previously saved malicious message is quoted. After upgrading MyBB to 1.8.24, make sure to update the version attribute in the `codebuttons` template for non-default themes to serve the latest version of the patched `jscripts/bbcodes_sceditor.js` file.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| security-advisories@github.com | https://github.com/mybb/mybb/commit/37ad29dcd25489a37bdd89ebac761f22492558b0 | Patch, Third Party Advisory | |
| security-advisories@github.com | https://github.com/mybb/mybb/security/advisories/GHSA-37h7-vfv6-f8rj | Patch, Third Party Advisory | |
| security-advisories@github.com | https://mybb.com/versions/1.8.24/ | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/mybb/mybb/commit/37ad29dcd25489a37bdd89ebac761f22492558b0 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/mybb/mybb/security/advisories/GHSA-37h7-vfv6-f8rj | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mybb.com/versions/1.8.24/ | Patch, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:mybb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C4357014-50F7-4CE1-A839-1853651C2685",
"versionEndExcluding": "1.8.24",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In MyBB before version 1.8.24, the custom MyCode (BBCode) for the visual editor doesn\u0027t escape input properly when rendering HTML, resulting in a DOM-based XSS vulnerability. The weakness can be exploited by pointing a victim to a page where the visual editor is active (e.g. as a post or Private Message) and operates on a maliciously crafted MyCode message. This may occur on pages where message content is pre-filled using a GET/POST parameter, or on reply pages where a previously saved malicious message is quoted. After upgrading MyBB to 1.8.24, make sure to update the version attribute in the `codebuttons` template for non-default themes to serve the latest version of the patched `jscripts/bbcodes_sceditor.js` file."
},
{
"lang": "es",
"value": "En MyBB anterior a la versi\u00f3n 1.8.24, el MyCode (BBCode) personalizado para el editor visual no escapa la entrada correctamente cuando renderiza HTML, lo que genera una vulnerabilidad de tipo XSS basada en DOM. La debilidad puede ser explotada se\u00f1alando a la v\u00edctima a una p\u00e1gina donde el editor visual est\u00e1 activo (por ejemplo, como una publicaci\u00f3n o un Mensaje Privado) y opera en un mensaje MyCode dise\u00f1ado con fines maliciosos. Esto puede ocurrir en p\u00e1ginas donde el contenido del mensaje se rellena previamente usando un par\u00e1metro GET/POST, o en p\u00e1ginas de respuesta donde un mensaje malicioso previamente guardado es citado. Despu\u00e9s de actualizar MyBB a la versi\u00f3n 1.8.24, aseg\u00farese de actualizar el atributo de versi\u00f3n en la plantilla \"codebuttons\" para que los temas no predeterminados sirvan la \u00faltima versi\u00f3n del archivo \"jscripts/bbcodes_sceditor.js\" parcheado"
}
],
"id": "CVE-2020-15139",
"lastModified": "2024-11-21T05:04:55.650",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-08-10T22:15:14.223",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/mybb/mybb/commit/37ad29dcd25489a37bdd89ebac761f22492558b0"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/mybb/mybb/security/advisories/GHSA-37h7-vfv6-f8rj"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://mybb.com/versions/1.8.24/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/mybb/mybb/commit/37ad29dcd25489a37bdd89ebac761f22492558b0"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/mybb/mybb/security/advisories/GHSA-37h7-vfv6-f8rj"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://mybb.com/versions/1.8.24/"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2018-06-26 16:29
Modified
2024-11-21 03:40
Severity ?
Summary
MyBB Group MyBB contains a File Inclusion vulnerability in Admin panel (Tools and Maintenance -> Task Manager -> Add New Task) that can result in Allows Local File Inclusion on modern PHP versions and Remote File Inclusion on ancient PHP versions. This attack appear to be exploitable via Must have access to admin panel. This vulnerability appears to have been fixed in 1.8.15.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:mybb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "53F2488B-06DA-4FB0-A5DE-3953F1FA2193",
"versionEndExcluding": "1.8.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "MyBB Group MyBB contains a File Inclusion vulnerability in Admin panel (Tools and Maintenance -\u003e Task Manager -\u003e Add New Task) that can result in Allows Local File Inclusion on modern PHP versions and Remote File Inclusion on ancient PHP versions. This attack appear to be exploitable via Must have access to admin panel. This vulnerability appears to have been fixed in 1.8.15."
},
{
"lang": "es",
"value": "MyBB Group MyBB contiene una vulnerabilidad de inclusi\u00f3n de archivos en el panel de administrador (Tools and Maintenance -\u003e Task Manager -\u003e Add New Task) que puede resultar en que se permita la inclusi\u00f3n de archivos locales en versiones modernas de PHP y la inclusi\u00f3n de archivos remota en versiones antiguas de PHP. Para explotar este ataque, el atacante debe tener acceso al panel de administraci\u00f3n. La vulnerabilidad parece haber sido solucionada en la versi\u00f3n 1.8.15."
}
],
"id": "CVE-2018-1000502",
"lastModified": "2024-11-21T03:40:03.663",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-06-26T16:29:00.447",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "http://www.batterystapl.es/2018/03/local-file-inclusion-and-reading.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://blog.mybb.com/2018/03/15/mybb-1-8-15-released-security-maintenance-release/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://www.batterystapl.es/2018/03/local-file-inclusion-and-reading.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://blog.mybb.com/2018/03/15/mybb-1-8-15-released-security-maintenance-release/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-829"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2014-01-08 15:29
Modified
2025-04-11 00:51
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in misc.php in MyBB (aka MyBulletinBoard) before 1.6.12 allows remote attackers to inject arbitrary web script or HTML via the editor parameter in a smilie list popup.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mybb | mybb | * | |
| mybb | mybb | 1.00 | |
| mybb | mybb | 1.0 | |
| mybb | mybb | 1.0 | |
| mybb | mybb | 1.0 | |
| mybb | mybb | 1.0 | |
| mybb | mybb | 1.0 | |
| mybb | mybb | 1.0 | |
| mybb | mybb | 1.0 | |
| mybb | mybb | 1.01 | |
| mybb | mybb | 1.1.0 | |
| mybb | mybb | 1.1.1 | |
| mybb | mybb | 1.1.2 | |
| mybb | mybb | 1.1.3 | |
| mybb | mybb | 1.1.4 | |
| mybb | mybb | 1.1.5 | |
| mybb | mybb | 1.1.6 | |
| mybb | mybb | 1.1.7 | |
| mybb | mybb | 1.1.8 | |
| mybb | mybb | 1.02 | |
| mybb | mybb | 1.2 | |
| mybb | mybb | 1.2.0 | |
| mybb | mybb | 1.2.1 | |
| mybb | mybb | 1.2.2 | |
| mybb | mybb | 1.2.3 | |
| mybb | mybb | 1.2.4 | |
| mybb | mybb | 1.2.5 | |
| mybb | mybb | 1.2.6 | |
| mybb | mybb | 1.2.7 | |
| mybb | mybb | 1.2.8 | |
| mybb | mybb | 1.2.9 | |
| mybb | mybb | 1.2.10 | |
| mybb | mybb | 1.2.11 | |
| mybb | mybb | 1.2.12 | |
| mybb | mybb | 1.2.13 | |
| mybb | mybb | 1.2.14 | |
| mybb | mybb | 1.03 | |
| mybb | mybb | 1.3 | |
| mybb | mybb | 1.04 | |
| mybb | mybb | 1.4.0 | |
| mybb | mybb | 1.4.1 | |
| mybb | mybb | 1.4.2 | |
| mybb | mybb | 1.4.3 | |
| mybb | mybb | 1.4.4 | |
| mybb | mybb | 1.4.5 | |
| mybb | mybb | 1.4.6 | |
| mybb | mybb | 1.4.7 | |
| mybb | mybb | 1.4.8 | |
| mybb | mybb | 1.4.9 | |
| mybb | mybb | 1.4.10 | |
| mybb | mybb | 1.4.11 | |
| mybb | mybb | 1.4.12 | |
| mybb | mybb | 1.4.13 | |
| mybb | mybb | 1.4.14 | |
| mybb | mybb | 1.4.15 | |
| mybb | mybb | 1.4.16 | |
| mybb | mybb | 1.5.1 | |
| mybb | mybb | 1.5.2 | |
| mybb | mybb | 1.6.0 | |
| mybb | mybb | 1.6.1 | |
| mybb | mybb | 1.6.2 | |
| mybb | mybb | 1.6.3 | |
| mybb | mybb | 1.6.4 | |
| mybb | mybb | 1.6.5 | |
| mybb | mybb | 1.6.6 | |
| mybb | mybb | 1.6.7 | |
| mybb | mybb | 1.6.8 | |
| mybb | mybb | 1.6.9 | |
| mybb | mybb | 1.6.10 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:mybb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1AB176E2-A87C-4098-93F3-B6B4C09389FD",
"versionEndIncluding": "1.6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.00:*:*:*:*:*:*:*",
"matchCriteriaId": "BD61D970-9363-4A75-A8DB-D0EBA2CF0D53",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.0:beta4:*:*:*:*:*:*",
"matchCriteriaId": "C14F8B95-1A33-4DA8-8DE4-35C7DC3590CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.0:pr1:*:*:*:*:*:*",
"matchCriteriaId": "CD7728CD-1FA0-4428-B3FC-883781A699CD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.0:pr2:*:*:*:*:*:*",
"matchCriteriaId": "0883675F-9442-49E7-8471-C205B7EA201D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "B85E419B-F9D3-4839-A15C-F22BF9DABFAC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "EAB8B860-71DC-4F45-9E2A-74BD1C2ED893",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "C67749DF-F8AF-4C88-A120-0F48307C58E1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.0:rc4:*:*:*:*:*:*",
"matchCriteriaId": "FD0820A0-5D85-446F-9B7E-F8DB258A1178",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.01:*:*:*:*:*:*:*",
"matchCriteriaId": "990E206E-5E2C-4A68-9FDF-CD47F7524054",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "CF143B59-5C78-4BF6-9368-5BCF427B4753",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "B16F6F07-F5A9-47BF-88ED-25F068B68CF6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "A8A46A48-1361-4DD3-B97D-4C4FC776D68A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "337D89AE-1B7A-4101-B1F7-DFEDF2369385",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "BE08AF25-EDB1-4DA1-B431-F0692858AAAA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "BF24E7BA-3144-4DBA-9613-A44FBE0822F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.6:*:*:*:*:*:*:*",
"matchCriteriaId": "029430A5-85BD-4258-B58D-F3DCBC625E5B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.7:*:*:*:*:*:*:*",
"matchCriteriaId": "4183DB7F-FAB3-4D90-AD87-31CA4150CFDD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.8:*:*:*:*:*:*:*",
"matchCriteriaId": "3E2B90B8-DC02-4C79-BD69-DEF79945C418",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.02:*:*:*:*:*:*:*",
"matchCriteriaId": "C5C52215-D236-4D1A-9E30-14B9676FB68A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "4E080342-93CD-4E74-AE60-5858738CE7F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B48D2EDF-86C2-475C-9476-E5A2D586CA0E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "B6725373-C229-4B57-BB1E-AF178E19DEB0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "36E4C84A-21D5-4C9A-85F8-45C9657CE6F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "C7E55085-E3E3-4BB8-A680-19A28D7E88F4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "AB01A9AA-AE70-46DF-815A-05D1101EE706",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "98AFD77B-A046-4AB9-B6F4-FFFF66C63C68",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.6:*:*:*:*:*:*:*",
"matchCriteriaId": "AA00D38E-AAF6-4F66-9203-5C074FC61F30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.7:*:*:*:*:*:*:*",
"matchCriteriaId": "137A8CED-BE82-462F-B83C-15F535961E74",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.8:*:*:*:*:*:*:*",
"matchCriteriaId": "D179FDB6-9B1D-438C-B512-9A5C4F869A4C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.9:*:*:*:*:*:*:*",
"matchCriteriaId": "B3E72A13-6B4A-4C7F-B8D9-A2D35E074B67",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.10:*:*:*:*:*:*:*",
"matchCriteriaId": "3A2D344F-4671-4194-A553-A5773B5DF3B1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.11:*:*:*:*:*:*:*",
"matchCriteriaId": "245760C8-DC10-47F1-843A-461AE2F3DF61",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.12:*:*:*:*:*:*:*",
"matchCriteriaId": "A055E6BF-3CAC-4C74-8E37-A89E3E0F8559",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.13:*:*:*:*:*:*:*",
"matchCriteriaId": "1121A071-3709-4B2B-ADF4-EDC560F73E0A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.14:*:*:*:*:*:*:*",
"matchCriteriaId": "71FD2842-7E00-440F-8A93-9D3F45A004DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.03:*:*:*:*:*:*:*",
"matchCriteriaId": "F6ABDEE8-D463-47CA-998D-33472F3382F3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.3:pre-1.0:*:*:*:*:*:*",
"matchCriteriaId": "16C45BFE-A083-4DC8-A2E5-9BCE543F5AE4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.04:*:*:*:*:*:*:*",
"matchCriteriaId": "DE44965F-F968-4CD2-9F21-1E1A92F5F7F2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "3FC8864E-161F-408E-93D6-693A9238C494",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "4C5965DE-D9B6-4074-B14B-ABCAAAAB872B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "9503D6C2-DCBC-4720-BE29-34913950407E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.3:*:*:*:*:*:*:*",
"matchCriteriaId": "0F6FC2B1-45DF-439E-8BAE-A15A08E7D9F7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.4:*:*:*:*:*:*:*",
"matchCriteriaId": "853E94FE-A56F-44B0-87FE-DE5927B7A547",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.5:*:*:*:*:*:*:*",
"matchCriteriaId": "49C7F758-9E38-4870-85C3-11E350F96641",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.6:*:*:*:*:*:*:*",
"matchCriteriaId": "B46B7E13-51F8-4950-BBB4-A03B8E5B4750",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.7:*:*:*:*:*:*:*",
"matchCriteriaId": "58C9C804-6901-412C-B178-183417BD5C04",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.8:*:*:*:*:*:*:*",
"matchCriteriaId": "A00F1254-67DE-436D-AB83-1C55639BDBD2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.9:*:*:*:*:*:*:*",
"matchCriteriaId": "AC2FDC2B-2CB4-433F-9290-3A6BE0A929B5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.10:*:*:*:*:*:*:*",
"matchCriteriaId": "1FF9452B-CF4B-45F0-8487-23D9CCBB1A4A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.11:*:*:*:*:*:*:*",
"matchCriteriaId": "2021275B-D61A-4309-8876-5354E115CB29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.12:*:*:*:*:*:*:*",
"matchCriteriaId": "7925DEA1-8062-45C9-94E7-19D8FACEAFCD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.13:*:*:*:*:*:*:*",
"matchCriteriaId": "D35E537F-0F49-40AB-9E97-7898D91353D1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.14:*:*:*:*:*:*:*",
"matchCriteriaId": "BCDC1181-A2B7-4D1B-B2BF-DAC9E58E88C3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.15:*:*:*:*:*:*:*",
"matchCriteriaId": "57C37D10-B945-4674-A846-BCEC573FF93C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.16:*:*:*:*:*:*:*",
"matchCriteriaId": "4FD245B9-1381-4A1B-AF47-F28349FA6F52",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "2AFD7848-56E4-4608-82E7-CFF46A8809AC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "CC489F94-3545-4E1A-AE9E-B88EB1A7D516",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E5B50C36-C3D7-48FD-805B-4A94E727C93F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.6.1:*:*:*:*:*:*:*",
"matchCriteriaId": "FBEB75D4-FAA4-4A5B-AA0A-57EE8EE88E61",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.6.2:*:*:*:*:*:*:*",
"matchCriteriaId": "00E51ABC-9F77-4028-BE47-D5BFD4FEC749",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.6.3:*:*:*:*:*:*:*",
"matchCriteriaId": "E0BD20D9-0DFC-451F-9C71-38C6D0236CF2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.6.4:*:*:*:*:*:*:*",
"matchCriteriaId": "FDFE35CB-05CC-4E6F-B188-1141773E7F10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.6.5:*:*:*:*:*:*:*",
"matchCriteriaId": "22A90F66-DAE9-45FC-B255-390D569CCC56",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.6.6:*:*:*:*:*:*:*",
"matchCriteriaId": "E1A3FDDB-9488-405B-A2A0-500CF49061BE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.6.7:*:*:*:*:*:*:*",
"matchCriteriaId": "04264BC5-425C-47D4-9EE0-35BF11B904F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.6.8:*:*:*:*:*:*:*",
"matchCriteriaId": "5E42628F-7E7F-4E3A-BB8E-699166CB86B3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.6.9:*:*:*:*:*:*:*",
"matchCriteriaId": "A02FA2FA-E035-40CD-9C0F-A143A931D40D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.6.10:*:*:*:*:*:*:*",
"matchCriteriaId": "F52B8848-9103-4A78-A45B-6BE73855647A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in misc.php in MyBB (aka MyBulletinBoard) before 1.6.12 allows remote attackers to inject arbitrary web script or HTML via the editor parameter in a smilie list popup."
},
{
"lang": "es",
"value": "Vulnerabilidad cross-site scripting (XSS) en misc.php de MyBB (tambien conocido como MyBulletinBoard) anteriores a 1.6.12 permite a atacantes remotos inyectar script web o HTML de forma arbitraria a trav\u00e9s del par\u00e1metro editor en un listado de smileis."
}
],
"id": "CVE-2013-7275",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2014-01-08T15:29:56.807",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://blog.mybb.com/2013/12/16/mybb-1-6-12-released-security-maintenance-release"
},
{
"source": "cve@mitre.org",
"url": "http://osvdb.org/101545"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/55945"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/64570"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Patch"
],
"url": "https://github.com/mybb/mybb/commit/6212bc954d72caf591e141ca36b8df964387bee8"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://blog.mybb.com/2013/12/16/mybb-1-6-12-released-security-maintenance-release"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://osvdb.org/101545"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/55945"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/64570"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch"
],
"url": "https://github.com/mybb/mybb/commit/6212bc954d72caf591e141ca36b8df964387bee8"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-05-01 07:15
Modified
2025-06-30 15:03
Severity ?
Summary
MyBB is a free and open source forum software. The backup management module of the Admin CP may accept `.htaccess` as the name of the backup file to be deleted, which may expose the stored backup files over HTTP on Apache servers. MyBB 1.8.38 resolves this issue. Users are advised to upgrade. There are no known workarounds for this vulnerability
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:mybb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5AA2C895-E246-429E-A8DA-DE9A52BDEEC9",
"versionEndExcluding": "1.8.38",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "MyBB is a free and open source forum software. The backup management module of the Admin CP may accept `.htaccess` as the name of the backup file to be deleted, which may expose the stored backup files over HTTP on Apache servers. MyBB 1.8.38 resolves this issue. Users are advised to upgrade. There are no known workarounds for this vulnerability"
},
{
"lang": "es",
"value": "MyBB es un software de foro gratuito y de c\u00f3digo abierto. El m\u00f3dulo de gesti\u00f3n de copias de seguridad del Admin CP puede aceptar `.htaccess` como nombre del archivo de copia de seguridad que se eliminar\u00e1, lo que puede exponer los archivos de copia de seguridad almacenados a trav\u00e9s de HTTP en servidores Apache. MyBB 1.8.38 resuelve este problema. Se recomienda a los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad"
}
],
"id": "CVE-2024-23335",
"lastModified": "2025-06-30T15:03:32.623",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 3.4,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2024-05-01T07:15:38.240",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/mybb/mybb/commit/450259e501b94c9d483efb167cb2bf875605e111.patch"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/mybb/mybb/security/advisories/GHSA-94xr-g4ww-j47r"
},
{
"source": "security-advisories@github.com",
"tags": [
"Product",
"Release Notes"
],
"url": "https://mybb.com/versions/1.8.38"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/mybb/mybb/commit/450259e501b94c9d483efb167cb2bf875605e111.patch"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/mybb/mybb/security/advisories/GHSA-94xr-g4ww-j47r"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product",
"Release Notes"
],
"url": "https://mybb.com/versions/1.8.38"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-04-17 22:15
Modified
2025-04-24 14:14
Severity ?
Summary
An issue in MyBB 1.8.38 allows a remote attacker to obtain sensitive information via the Change Avatar function. NOTE: the Supplier disputes this because of the allowed actions of Board administrators and because of SSRF mitigation.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://docs.mybb.com/1.8/administration/security/protection/#limit-access-to-private-hosts-and-ip-addresses | Mitigation, Product | |
| cve@mitre.org | https://www.yuque.com/morysummer/vx41bz/qu7zyyxr84qno64e | Exploit, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:mybb:1.8.38:*:*:*:*:*:*:*",
"matchCriteriaId": "07E2BC41-5325-4F85-9235-61FF5CA894D1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [
{
"sourceIdentifier": "cve@mitre.org",
"tags": [
"disputed"
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue in MyBB 1.8.38 allows a remote attacker to obtain sensitive information via the Change Avatar function. NOTE: the Supplier disputes this because of the allowed actions of Board administrators and because of SSRF mitigation."
},
{
"lang": "es",
"value": "Un problema en MyBB 1.8.38 permite que un atacante remoto obtenga informaci\u00f3n confidencial a trav\u00e9s de la funci\u00f3n Cambiar avatar."
}
],
"id": "CVE-2025-29458",
"lastModified": "2025-04-24T14:14:21.430",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 4.7,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2025-04-17T22:15:15.290",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Mitigation",
"Product"
],
"url": "https://docs.mybb.com/1.8/administration/security/protection/#limit-access-to-private-hosts-and-ip-addresses"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.yuque.com/morysummer/vx41bz/qu7zyyxr84qno64e"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-918"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2018-05-13 20:29
Modified
2024-11-21 03:41
Severity ?
Summary
MyBB 1.8.15, when accessed with Microsoft Edge, mishandles 'target="_blank" rel="noopener"' in A elements, which makes it easier for remote attackers to conduct redirection attacks.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://www.securityfocus.com/bid/104187 | Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://gist.github.com/MayurUdiniya/7aaa50b878d82b6aab6ed0b3e2b080bc | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/104187 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://gist.github.com/MayurUdiniya/7aaa50b878d82b6aab6ed0b3e2b080bc | Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:mybb:1.8.15:*:*:*:*:*:*:*",
"matchCriteriaId": "1DB4D668-C39B-4581-A493-F43984158649",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "MyBB 1.8.15, when accessed with Microsoft Edge, mishandles \u0027target=\"_blank\" rel=\"noopener\"\u0027 in A elements, which makes it easier for remote attackers to conduct redirection attacks."
},
{
"lang": "es",
"value": "MyBB 1.8.15, cuando se accede a \u00e9l mediante Microsoft Edge, gestiona de manera incorrecta \u0027target=\"_blank\" rel=\"noopener\"\u0027 en elementos A, lo que facilita que atacantes remotos lleven a cabo ataques de redirecci\u00f3n."
}
],
"id": "CVE-2018-10678",
"lastModified": "2024-11-21T03:41:50.240",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-05-13T20:29:00.217",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/104187"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://gist.github.com/MayurUdiniya/7aaa50b878d82b6aab6ed0b3e2b080bc"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/104187"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://gist.github.com/MayurUdiniya/7aaa50b878d82b6aab6ed0b3e2b080bc"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-601"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-10-06 18:16
Modified
2024-11-21 07:17
Severity ?
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Summary
MyBB is a free and open source forum software. The _Mail Settings_ → Additional Parameters for PHP's mail() function mail_parameters setting value, in connection with the configured mail program's options and behavior, may allow access to sensitive information and Remote Code Execution (RCE). The vulnerable module requires Admin CP access with the `_Can manage settings?_` permission and may depend on configured file permissions. MyBB 1.8.31 resolves this issue with the commit `0cd318136a`. Users are advised to upgrade. There are no known workarounds for this vulnerability.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:mybb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7C214187-7786-44BE-AD2F-5DF1B4C481EA",
"versionEndExcluding": "1.8.31",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "MyBB is a free and open source forum software. The _Mail Settings_ \u2192 Additional Parameters for PHP\u0027s mail() function mail_parameters setting value, in connection with the configured mail program\u0027s options and behavior, may allow access to sensitive information and Remote Code Execution (RCE). The vulnerable module requires Admin CP access with the `_Can manage settings?_` permission and may depend on configured file permissions. MyBB 1.8.31 resolves this issue with the commit `0cd318136a`. Users are advised to upgrade. There are no known workarounds for this vulnerability."
},
{
"lang": "es",
"value": "MyBB es un software de foros gratuito y de c\u00f3digo abierto. El valor de la configuraci\u00f3n de _Mail_ ? Additional Parameters for PHP\u0027s mail() function mail_parameters setting value, en relaci\u00f3n con las opciones y el comportamiento del programa de correo configurado, puede permitir el acceso a informaci\u00f3n sensible y la ejecuci\u00f3n remota de c\u00f3digo (RCE). El m\u00f3dulo vulnerable requiere acceso al CP de administrador con el permiso `_Can manage settings?_` y puede depender de los permisos de los archivos configurados. MyBB 1.8.31 resuelve este problema con el commit `0cd318136a`. Se recomienda a los usuarios que actualicen. No hay soluciones conocidas para esta vulnerabilidad"
}
],
"id": "CVE-2022-39265",
"lastModified": "2024-11-21T07:17:54.837",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-10-06T18:16:12.163",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/mybb/mybb/blob/mybb_1830/install/resources/settings.xml#L2331-L2338"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/mybb/mybb/commit/0cd318136a10b029bb5c8a8f6dddf39d87519797"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/mybb/mybb/security/advisories/GHSA-hxhm-rq9f-7xj7"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://mybb.com/versions/1.8.31/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/mybb/mybb/blob/mybb_1830/install/resources/settings.xml#L2331-L2338"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/mybb/mybb/commit/0cd318136a10b029bb5c8a8f6dddf39d87519797"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/mybb/mybb/security/advisories/GHSA-hxhm-rq9f-7xj7"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://mybb.com/versions/1.8.31/"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-74"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-77"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-06-15 18:29
Modified
2024-11-21 04:23
Severity ?
Summary
In MyBB before 1.8.21, an attacker can exploit a parsing flaw in the Private Message / Post renderer that leads to [video] BBCode persistent XSS to take over any forum account, aka a nested video MyCode issue.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://blog.mybb.com/2019/06/10/mybb-1-8-21-released-security-maintenance-release/ | Release Notes, Third Party Advisory | |
| cve@mitre.org | https://blog.ripstech.com/2019/mybb-stored-xss-to-rce/ | Exploit, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://blog.mybb.com/2019/06/10/mybb-1-8-21-released-security-maintenance-release/ | Release Notes, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://blog.ripstech.com/2019/mybb-stored-xss-to-rce/ | Exploit, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:mybb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "438D60BF-E8A0-41F9-AE8E-B17569ECD586",
"versionEndExcluding": "1.8.21",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In MyBB before 1.8.21, an attacker can exploit a parsing flaw in the Private Message / Post renderer that leads to [video] BBCode persistent XSS to take over any forum account, aka a nested video MyCode issue."
},
{
"lang": "es",
"value": "En MyBB anterior a 1.8.21, un atacante puede aprovechar un fallo de an\u00e1lisis en el renderizador de Publicaci\u00f3n y Mensaje Privado que conlleva a un ataque XSS persistente de BBCode de [video] para controlar cualquier cuenta del foro, tambi\u00e9n se conoce como un problema de video anidado de MyCode."
}
],
"id": "CVE-2019-12830",
"lastModified": "2024-11-21T04:23:40.527",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.3,
"impactScore": 5.8,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-06-15T18:29:00.220",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://blog.mybb.com/2019/06/10/mybb-1-8-21-released-security-maintenance-release/"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://blog.ripstech.com/2019/mybb-stored-xss-to-rce/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://blog.mybb.com/2019/06/10/mybb-1-8-21-released-security-maintenance-release/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://blog.ripstech.com/2019/mybb-stored-xss-to-rce/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-11-22 00:15
Modified
2025-04-29 15:15
Severity ?
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
MyBB 1.8.31 has a Cross-site scripting (XSS) vulnerability in the visual MyCode editor (SCEditor) allows remote attackers to inject HTML via user input or stored data
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/mybb/mybb/security/advisories/GHSA-6vpw-m83q-27px | Patch, Third Party Advisory | |
| cve@mitre.org | https://mybb.com | Product | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/mybb/mybb/security/advisories/GHSA-6vpw-m83q-27px | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mybb.com | Product |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:mybb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "81E81B96-4E85-4D0F-BEB7-D2A8E71DDD02",
"versionEndExcluding": "1.8.32",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "MyBB 1.8.31 has a Cross-site scripting (XSS) vulnerability in the visual MyCode editor (SCEditor) allows remote attackers to inject HTML via user input or stored data"
},
{
"lang": "es",
"value": "MyBB 1.8.31 tiene una vulnerabilidad de Cross-Site Scripting (XSS) en el editor visual MyCode (SCEditor) que permite a atacantes remotos inyectar HTML a trav\u00e9s de la entrada del usuario o datos almacenados."
}
],
"id": "CVE-2022-43707",
"lastModified": "2025-04-29T15:15:50.060",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2022-11-22T00:15:10.023",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/mybb/mybb/security/advisories/GHSA-6vpw-m83q-27px"
},
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "https://mybb.com"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/mybb/mybb/security/advisories/GHSA-6vpw-m83q-27px"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://mybb.com"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2008-07-08 18:41
Modified
2025-04-09 00:30
Severity ?
Summary
Unspecified vulnerability in inc/datahandler/user.php in MyBB before 1.2.13 has unknown impact and attack vectors related to the $user['language'] variable, probably related to SQL injection.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:mybb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "53C7DC96-E461-4181-9555-5DFA116A96DF",
"versionEndIncluding": "1.2.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Unspecified vulnerability in inc/datahandler/user.php in MyBB before 1.2.13 has unknown impact and attack vectors related to the $user[\u0027language\u0027] variable, probably related to SQL injection."
},
{
"lang": "es",
"value": "Vulnerabilidad sin especificar en inc/datahandler/user.php en MyBB anterior a 1.2.13, tiene un impacto y vectores de ataque desconocidos en relaci\u00f3n con la variable $user[\u0027language\u0027], probablemente relacionado con la inyecci\u00f3n SQL."
}
],
"id": "CVE-2008-3070",
"lastModified": "2025-04-09T00:30:58.490",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": true,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": true,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2008-07-08T18:41:00.000",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://community.mybboard.net/attachment.php?aid=9272"
},
{
"source": "cve@mitre.org",
"url": "http://community.mybboard.net/showthread.php?tid=31666"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/31013"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://community.mybboard.net/attachment.php?aid=9272"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://community.mybboard.net/showthread.php?tid=31666"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/31013"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
},
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-01-31 22:59
Modified
2025-04-20 01:37
Severity ?
Summary
xmlhttp.php in MyBB (aka MyBulletinBoard) before 1.6.18 and 1.8.x before 1.8.6 and MyBB Merge System before 1.8.6 allows remote attackers to bypass intended access restrictions via vectors related to the forum password.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://www.openwall.com/lists/oss-security/2016/11/10/8 | Third Party Advisory | |
| cve@mitre.org | http://www.openwall.com/lists/oss-security/2016/11/18/1 | Mailing List, Third Party Advisory | |
| cve@mitre.org | http://www.securityfocus.com/bid/94397 | Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://blog.mybb.com/2015/09/07/mybb-1-8-6-1-6-18-merge-system-1-8-6-release/ | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2016/11/10/8 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2016/11/18/1 | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/94397 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://blog.mybb.com/2015/09/07/mybb-1-8-6-1-6-18-merge-system-1-8-6-release/ | Release Notes, Vendor Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:merge_system:*:*:*:*:*:*:*:*",
"matchCriteriaId": "22907EC0-5A2D-4DCF-B887-8FA311B3D4E2",
"versionEndIncluding": "1.8.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2FF6F484-A280-45A6-BB5E-B923339B7109",
"versionEndIncluding": "1.6.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E697D13C-5594-491B-B911-3B4BEA00AFCC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.8.1:*:*:*:*:*:*:*",
"matchCriteriaId": "00724054-858F-4322-8BE5-F6929CC2CAD8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.8.2:*:*:*:*:*:*:*",
"matchCriteriaId": "95998F68-1F16-4FEA-BDE3-957235D04881",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.8.3:*:*:*:*:*:*:*",
"matchCriteriaId": "927F9547-773B-4F2C-8870-AA3672EEC7CA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.8.4:*:*:*:*:*:*:*",
"matchCriteriaId": "6817FA9E-51B7-4ADE-86E2-E9F559A585EC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.8.5:*:*:*:*:*:*:*",
"matchCriteriaId": "667EFFF1-E5C1-4124-BD0B-D4244FAECE15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "xmlhttp.php in MyBB (aka MyBulletinBoard) before 1.6.18 and 1.8.x before 1.8.6 and MyBB Merge System before 1.8.6 allows remote attackers to bypass intended access restrictions via vectors related to the forum password."
},
{
"lang": "es",
"value": "xmlhttp.php en MyBB (tambi\u00e9n conocido como MyBulletinBoard) en versiones anteriores a 1.6.18 y 1.8.x en versiones anteriores a 1.8.6 y MyBB Merge System en versiones anteriores a 1.8.6 permite a atacantes remotos eludir las restricciones de acceso previstas a trav\u00e9s de vectores relacionados con la contrase\u00f1a del foro."
}
],
"id": "CVE-2015-8973",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": true,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 3.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-01-31T22:59:00.140",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/10/8"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/18/1"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/94397"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://blog.mybb.com/2015/09/07/mybb-1-8-6-1-6-18-merge-system-1-8-6-release/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/10/8"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/18/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/94397"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://blog.mybb.com/2015/09/07/mybb-1-8-6-1-6-18-merge-system-1-8-6-release/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-284"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2007-05-14 21:19
Modified
2025-04-09 00:30
Severity ?
Summary
MyBB 1.2.4 allows remote attackers to obtain sensitive information via the (1) action[] parameter to member.php, (2) imagehash[] parameter to captcha.php, and (3) a direct request to inc/datahandlers/event.php, which reveal the installation path in the resulting error message.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:mybb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F51E1EAB-F28C-4F8A-B55F-B32CABC67161",
"versionEndIncluding": "1.2.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "MyBB 1.2.4 allows remote attackers to obtain sensitive information via the (1) action[] parameter to member.php, (2) imagehash[] parameter to captcha.php, and (3) a direct request to inc/datahandlers/event.php, which reveal the installation path in the resulting error message."
},
{
"lang": "es",
"value": "MyBB 1.2.4 permite a atacantes remotos obtener informaci\u00f3n sensible a trav\u00e9s del par\u00e1metro (1) action[] en member.php, el par\u00e1metro (2)imagehash[] en captcha.php, and (3) una respuesta directa en inc/datahandlers/event.php, el cual revela la ruta de instalaci\u00f3n en el mensaje de error resultado."
}
],
"id": "CVE-2007-0689",
"lastModified": "2025-04-09T00:30:58.490",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2007-05-14T21:19:00.000",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "http://marc.info/?l=full-disclosure\u0026m=117909973216181\u0026w=2"
},
{
"source": "cve@mitre.org",
"url": "http://osvdb.org/35548"
},
{
"source": "cve@mitre.org",
"url": "http://osvdb.org/35549"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "http://www.netvigilance.com/advisory0017"
},
{
"source": "cve@mitre.org",
"url": "http://www.osvdb.org/34155"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/468549/100/0/threaded"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/34336"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "http://marc.info/?l=full-disclosure\u0026m=117909973216181\u0026w=2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://osvdb.org/35548"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://osvdb.org/35549"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "http://www.netvigilance.com/advisory0017"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.osvdb.org/34155"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/468549/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/34336"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-01-31 22:59
Modified
2025-04-20 01:37
Severity ?
Summary
MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 allow attackers to have unspecified impact via vectors related to low adminsid and sid entropy.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://www.openwall.com/lists/oss-security/2016/11/10/8 | Mailing List, Patch, Third Party Advisory | |
| cve@mitre.org | http://www.openwall.com/lists/oss-security/2016/11/18/1 | Mailing List, Patch, Third Party Advisory | |
| cve@mitre.org | http://www.securityfocus.com/bid/94395 | Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://blog.mybb.com/2016/03/11/mybb-1-8-7-merge-system-1-8-7-release/ | Patch, Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2016/11/10/8 | Mailing List, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2016/11/18/1 | Mailing List, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/94395 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://blog.mybb.com/2016/03/11/mybb-1-8-7-merge-system-1-8-7-release/ | Patch, Release Notes, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mybb | merge_system | * | |
| mybb | mybb | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:merge_system:*:*:*:*:*:*:*:*",
"matchCriteriaId": "716986AC-5E6D-4DDD-A553-B88981BDE788",
"versionEndIncluding": "1.8.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2212E819-C064-4963-BCD2-214F09A46902",
"versionEndIncluding": "1.8.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 allow attackers to have unspecified impact via vectors related to low adminsid and sid entropy."
},
{
"lang": "es",
"value": "MyBB (tambi\u00e9n conocido como MyBulletinBoard) en versiones anteriores a 1.8.7 y MyBB Merge System en versiones anteriores a 1.8.7 permiten a atacantes tener un impacto no especificado a trav\u00e9s de vectores relacionados con la baja entrop\u00eda adminsid y sid."
}
],
"id": "CVE-2016-9412",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-01-31T22:59:01.423",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/10/8"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/18/1"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/94395"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Release Notes",
"Vendor Advisory"
],
"url": "https://blog.mybb.com/2016/03/11/mybb-1-8-7-merge-system-1-8-7-release/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/10/8"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/18/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/94395"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Release Notes",
"Vendor Advisory"
],
"url": "https://blog.mybb.com/2016/03/11/mybb-1-8-7-merge-system-1-8-7-release/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-284"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2018-02-08 07:29
Modified
2024-11-21 04:11
Severity ?
Summary
MyBB 1.8.14 has XSS via the Title or Description field on the Edit Forum screen.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://websecnerd.blogspot.com/2018/02/mybb-forum-1.html | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://websecnerd.blogspot.com/2018/02/mybb-forum-1.html | Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:mybb:1.8.14:*:*:*:*:*:*:*",
"matchCriteriaId": "8DF54ECF-097F-490E-8657-655328421CF9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "MyBB 1.8.14 has XSS via the Title or Description field on the Edit Forum screen."
},
{
"lang": "es",
"value": "MyBB 1.8.14 tiene XSS mediante los campos Title o Description en la pantalla Edit Forum."
}
],
"id": "CVE-2018-6844",
"lastModified": "2024-11-21T04:11:16.870",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-02-08T07:29:01.257",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://websecnerd.blogspot.com/2018/02/mybb-forum-1.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://websecnerd.blogspot.com/2018/02/mybb-forum-1.html"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2010-12-30 21:00
Modified
2025-04-11 00:51
Severity ?
Summary
The my_rand function in functions.php in MyBB (aka MyBulletinBoard) before 1.4.12 does not properly use the PHP mt_rand function, which makes it easier for remote attackers to obtain access to an arbitrary account by requesting a reset of the account's password, and then conducting a brute-force attack.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mybb | mybb | * | |
| mybb | mybb | 1.00 | |
| mybb | mybb | 1.01 | |
| mybb | mybb | 1.1.0 | |
| mybb | mybb | 1.1.1 | |
| mybb | mybb | 1.1.2 | |
| mybb | mybb | 1.1.3 | |
| mybb | mybb | 1.1.4 | |
| mybb | mybb | 1.1.5 | |
| mybb | mybb | 1.1.6 | |
| mybb | mybb | 1.1.7 | |
| mybb | mybb | 1.1.8 | |
| mybb | mybb | 1.02 | |
| mybb | mybb | 1.2 | |
| mybb | mybb | 1.2.0 | |
| mybb | mybb | 1.2.1 | |
| mybb | mybb | 1.2.2 | |
| mybb | mybb | 1.2.3 | |
| mybb | mybb | 1.2.4 | |
| mybb | mybb | 1.2.5 | |
| mybb | mybb | 1.2.6 | |
| mybb | mybb | 1.2.7 | |
| mybb | mybb | 1.2.8 | |
| mybb | mybb | 1.2.9 | |
| mybb | mybb | 1.2.10 | |
| mybb | mybb | 1.2.11 | |
| mybb | mybb | 1.2.12 | |
| mybb | mybb | 1.2.13 | |
| mybb | mybb | 1.03 | |
| mybb | mybb | 1.04 | |
| mybb | mybb | 1.4.0 | |
| mybb | mybb | 1.4.2 | |
| mybb | mybb | 1.4.3 | |
| mybb | mybb | 1.4.6 | |
| mybb | mybb | 1.4.8 | |
| mybb | mybb | 1.4.9 | |
| mybb | mybb | 1.4.10 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:mybb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AA9326ED-4299-46B9-B654-0BC7C5282903",
"versionEndIncluding": "1.4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.00:*:*:*:*:*:*:*",
"matchCriteriaId": "BD61D970-9363-4A75-A8DB-D0EBA2CF0D53",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.01:*:*:*:*:*:*:*",
"matchCriteriaId": "990E206E-5E2C-4A68-9FDF-CD47F7524054",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "CF143B59-5C78-4BF6-9368-5BCF427B4753",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "B16F6F07-F5A9-47BF-88ED-25F068B68CF6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "A8A46A48-1361-4DD3-B97D-4C4FC776D68A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "337D89AE-1B7A-4101-B1F7-DFEDF2369385",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "BE08AF25-EDB1-4DA1-B431-F0692858AAAA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "BF24E7BA-3144-4DBA-9613-A44FBE0822F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.6:*:*:*:*:*:*:*",
"matchCriteriaId": "029430A5-85BD-4258-B58D-F3DCBC625E5B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.7:*:*:*:*:*:*:*",
"matchCriteriaId": "4183DB7F-FAB3-4D90-AD87-31CA4150CFDD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.8:*:*:*:*:*:*:*",
"matchCriteriaId": "3E2B90B8-DC02-4C79-BD69-DEF79945C418",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.02:*:*:*:*:*:*:*",
"matchCriteriaId": "C5C52215-D236-4D1A-9E30-14B9676FB68A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "4E080342-93CD-4E74-AE60-5858738CE7F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B48D2EDF-86C2-475C-9476-E5A2D586CA0E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "B6725373-C229-4B57-BB1E-AF178E19DEB0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "36E4C84A-21D5-4C9A-85F8-45C9657CE6F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "C7E55085-E3E3-4BB8-A680-19A28D7E88F4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "AB01A9AA-AE70-46DF-815A-05D1101EE706",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "98AFD77B-A046-4AB9-B6F4-FFFF66C63C68",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.6:*:*:*:*:*:*:*",
"matchCriteriaId": "AA00D38E-AAF6-4F66-9203-5C074FC61F30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.7:*:*:*:*:*:*:*",
"matchCriteriaId": "137A8CED-BE82-462F-B83C-15F535961E74",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.8:*:*:*:*:*:*:*",
"matchCriteriaId": "D179FDB6-9B1D-438C-B512-9A5C4F869A4C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.9:*:*:*:*:*:*:*",
"matchCriteriaId": "B3E72A13-6B4A-4C7F-B8D9-A2D35E074B67",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.10:*:*:*:*:*:*:*",
"matchCriteriaId": "3A2D344F-4671-4194-A553-A5773B5DF3B1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.11:*:*:*:*:*:*:*",
"matchCriteriaId": "245760C8-DC10-47F1-843A-461AE2F3DF61",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.12:*:*:*:*:*:*:*",
"matchCriteriaId": "A055E6BF-3CAC-4C74-8E37-A89E3E0F8559",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.13:*:*:*:*:*:*:*",
"matchCriteriaId": "1121A071-3709-4B2B-ADF4-EDC560F73E0A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.03:*:*:*:*:*:*:*",
"matchCriteriaId": "F6ABDEE8-D463-47CA-998D-33472F3382F3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.04:*:*:*:*:*:*:*",
"matchCriteriaId": "DE44965F-F968-4CD2-9F21-1E1A92F5F7F2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "3FC8864E-161F-408E-93D6-693A9238C494",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "9503D6C2-DCBC-4720-BE29-34913950407E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.3:*:*:*:*:*:*:*",
"matchCriteriaId": "0F6FC2B1-45DF-439E-8BAE-A15A08E7D9F7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.6:*:*:*:*:*:*:*",
"matchCriteriaId": "B46B7E13-51F8-4950-BBB4-A03B8E5B4750",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.8:*:*:*:*:*:*:*",
"matchCriteriaId": "A00F1254-67DE-436D-AB83-1C55639BDBD2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.9:*:*:*:*:*:*:*",
"matchCriteriaId": "AC2FDC2B-2CB4-433F-9290-3A6BE0A929B5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.10:*:*:*:*:*:*:*",
"matchCriteriaId": "1FF9452B-CF4B-45F0-8487-23D9CCBB1A4A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The my_rand function in functions.php in MyBB (aka MyBulletinBoard) before 1.4.12 does not properly use the PHP mt_rand function, which makes it easier for remote attackers to obtain access to an arbitrary account by requesting a reset of the account\u0027s password, and then conducting a brute-force attack."
},
{
"lang": "es",
"value": "La funci\u00f3n my_rand de functions.php de MyBB (MyBulletinBoard) en versiones anteriores a la 1.4.12 no utiliza apropiadamente la funci\u00f3n de PHP mt_rand, lo que facilita a atacantes remotos obtener acceso a cuentas de su elecci\u00f3n solicitando un reinicio de la contrase\u00f1a de la cuenta y, a continuaci\u00f3n, realizando un ataque de fuerza bruta."
}
],
"id": "CVE-2010-4626",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "HIGH",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.1,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 4.9,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": true,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2010-12-30T21:00:02.550",
"references": [
{
"source": "cve@mitre.org",
"url": "http://blog.mybb.com/2010/04/13/mybb-1-4-12-released-security-maintenance-update/"
},
{
"source": "cve@mitre.org",
"url": "http://dev.mybboard.net/issues/843"
},
{
"source": "cve@mitre.org",
"url": "http://dev.mybboard.net/projects/mybb/repository/revisions/4872"
},
{
"source": "cve@mitre.org",
"url": "http://openwall.com/lists/oss-security/2010/10/08/7"
},
{
"source": "cve@mitre.org",
"url": "http://openwall.com/lists/oss-security/2010/10/11/8"
},
{
"source": "cve@mitre.org",
"url": "http://openwall.com/lists/oss-security/2010/12/06/2"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/64516"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://blog.mybb.com/2010/04/13/mybb-1-4-12-released-security-maintenance-update/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://dev.mybboard.net/issues/843"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://dev.mybboard.net/projects/mybb/repository/revisions/4872"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://openwall.com/lists/oss-security/2010/10/08/7"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://openwall.com/lists/oss-security/2010/10/11/8"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://openwall.com/lists/oss-security/2010/12/06/2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/64516"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-310"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2010-12-30 21:00
Modified
2025-04-11 00:51
Severity ?
Summary
member.php in MyBB (aka MyBulletinBoard) before 1.4.12 makes a certain superfluous call to the SQL COUNT function, which allows remote attackers to cause a denial of service (resource consumption) by making requests to member.php that trigger scans of the entire users table.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mybb | mybb | * | |
| mybb | mybb | 1.00 | |
| mybb | mybb | 1.01 | |
| mybb | mybb | 1.1.0 | |
| mybb | mybb | 1.1.1 | |
| mybb | mybb | 1.1.2 | |
| mybb | mybb | 1.1.3 | |
| mybb | mybb | 1.1.4 | |
| mybb | mybb | 1.1.5 | |
| mybb | mybb | 1.1.6 | |
| mybb | mybb | 1.1.7 | |
| mybb | mybb | 1.1.8 | |
| mybb | mybb | 1.02 | |
| mybb | mybb | 1.2 | |
| mybb | mybb | 1.2.0 | |
| mybb | mybb | 1.2.1 | |
| mybb | mybb | 1.2.2 | |
| mybb | mybb | 1.2.3 | |
| mybb | mybb | 1.2.4 | |
| mybb | mybb | 1.2.5 | |
| mybb | mybb | 1.2.6 | |
| mybb | mybb | 1.2.7 | |
| mybb | mybb | 1.2.8 | |
| mybb | mybb | 1.2.9 | |
| mybb | mybb | 1.2.10 | |
| mybb | mybb | 1.2.11 | |
| mybb | mybb | 1.2.12 | |
| mybb | mybb | 1.2.13 | |
| mybb | mybb | 1.03 | |
| mybb | mybb | 1.04 | |
| mybb | mybb | 1.4.0 | |
| mybb | mybb | 1.4.2 | |
| mybb | mybb | 1.4.3 | |
| mybb | mybb | 1.4.6 | |
| mybb | mybb | 1.4.8 | |
| mybb | mybb | 1.4.9 | |
| mybb | mybb | 1.4.10 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:mybb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AA9326ED-4299-46B9-B654-0BC7C5282903",
"versionEndIncluding": "1.4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.00:*:*:*:*:*:*:*",
"matchCriteriaId": "BD61D970-9363-4A75-A8DB-D0EBA2CF0D53",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.01:*:*:*:*:*:*:*",
"matchCriteriaId": "990E206E-5E2C-4A68-9FDF-CD47F7524054",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "CF143B59-5C78-4BF6-9368-5BCF427B4753",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "B16F6F07-F5A9-47BF-88ED-25F068B68CF6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "A8A46A48-1361-4DD3-B97D-4C4FC776D68A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "337D89AE-1B7A-4101-B1F7-DFEDF2369385",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "BE08AF25-EDB1-4DA1-B431-F0692858AAAA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "BF24E7BA-3144-4DBA-9613-A44FBE0822F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.6:*:*:*:*:*:*:*",
"matchCriteriaId": "029430A5-85BD-4258-B58D-F3DCBC625E5B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.7:*:*:*:*:*:*:*",
"matchCriteriaId": "4183DB7F-FAB3-4D90-AD87-31CA4150CFDD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.8:*:*:*:*:*:*:*",
"matchCriteriaId": "3E2B90B8-DC02-4C79-BD69-DEF79945C418",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.02:*:*:*:*:*:*:*",
"matchCriteriaId": "C5C52215-D236-4D1A-9E30-14B9676FB68A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "4E080342-93CD-4E74-AE60-5858738CE7F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B48D2EDF-86C2-475C-9476-E5A2D586CA0E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "B6725373-C229-4B57-BB1E-AF178E19DEB0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "36E4C84A-21D5-4C9A-85F8-45C9657CE6F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "C7E55085-E3E3-4BB8-A680-19A28D7E88F4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "AB01A9AA-AE70-46DF-815A-05D1101EE706",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "98AFD77B-A046-4AB9-B6F4-FFFF66C63C68",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.6:*:*:*:*:*:*:*",
"matchCriteriaId": "AA00D38E-AAF6-4F66-9203-5C074FC61F30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.7:*:*:*:*:*:*:*",
"matchCriteriaId": "137A8CED-BE82-462F-B83C-15F535961E74",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.8:*:*:*:*:*:*:*",
"matchCriteriaId": "D179FDB6-9B1D-438C-B512-9A5C4F869A4C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.9:*:*:*:*:*:*:*",
"matchCriteriaId": "B3E72A13-6B4A-4C7F-B8D9-A2D35E074B67",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.10:*:*:*:*:*:*:*",
"matchCriteriaId": "3A2D344F-4671-4194-A553-A5773B5DF3B1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.11:*:*:*:*:*:*:*",
"matchCriteriaId": "245760C8-DC10-47F1-843A-461AE2F3DF61",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.12:*:*:*:*:*:*:*",
"matchCriteriaId": "A055E6BF-3CAC-4C74-8E37-A89E3E0F8559",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.13:*:*:*:*:*:*:*",
"matchCriteriaId": "1121A071-3709-4B2B-ADF4-EDC560F73E0A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.03:*:*:*:*:*:*:*",
"matchCriteriaId": "F6ABDEE8-D463-47CA-998D-33472F3382F3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.04:*:*:*:*:*:*:*",
"matchCriteriaId": "DE44965F-F968-4CD2-9F21-1E1A92F5F7F2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "3FC8864E-161F-408E-93D6-693A9238C494",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "9503D6C2-DCBC-4720-BE29-34913950407E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.3:*:*:*:*:*:*:*",
"matchCriteriaId": "0F6FC2B1-45DF-439E-8BAE-A15A08E7D9F7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.6:*:*:*:*:*:*:*",
"matchCriteriaId": "B46B7E13-51F8-4950-BBB4-A03B8E5B4750",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.8:*:*:*:*:*:*:*",
"matchCriteriaId": "A00F1254-67DE-436D-AB83-1C55639BDBD2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.9:*:*:*:*:*:*:*",
"matchCriteriaId": "AC2FDC2B-2CB4-433F-9290-3A6BE0A929B5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.10:*:*:*:*:*:*:*",
"matchCriteriaId": "1FF9452B-CF4B-45F0-8487-23D9CCBB1A4A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "member.php in MyBB (aka MyBulletinBoard) before 1.4.12 makes a certain superfluous call to the SQL COUNT function, which allows remote attackers to cause a denial of service (resource consumption) by making requests to member.php that trigger scans of the entire users table."
},
{
"lang": "es",
"value": "member.php de MyBB (MyBulletinBoard) en versiones anteriores a la 1.4.12 hace una llamada superflua a la funci\u00f3n SQL COUNT; lo que permite, a atacantes remotos, provocar una denegaci\u00f3n de servici\u00f3 (consumo de todos los recursos) haciendo peticiones a member.php que generan la lectura de toda la tabla de usuarios."
}
],
"id": "CVE-2010-4628",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2010-12-30T21:00:02.643",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://blog.mybb.com/2010/04/13/mybb-1-4-12-released-security-maintenance-update/"
},
{
"source": "cve@mitre.org",
"url": "http://dev.mybboard.net/issues/662"
},
{
"source": "cve@mitre.org",
"url": "http://openwall.com/lists/oss-security/2010/10/08/7"
},
{
"source": "cve@mitre.org",
"url": "http://openwall.com/lists/oss-security/2010/10/11/8"
},
{
"source": "cve@mitre.org",
"url": "http://openwall.com/lists/oss-security/2010/12/06/2"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/64514"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://blog.mybb.com/2010/04/13/mybb-1-4-12-released-security-maintenance-update/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://dev.mybboard.net/issues/662"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://openwall.com/lists/oss-security/2010/10/08/7"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://openwall.com/lists/oss-security/2010/10/11/8"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://openwall.com/lists/oss-security/2010/12/06/2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/64514"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-11-22 00:15
Modified
2025-04-29 15:15
Severity ?
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
MyBB 1.8.31 has a (issue 2 of 2) cross-site scripting (XSS) vulnerabilities in the post Attachments interface allow attackers to inject HTML by persuading the user to upload a file with specially crafted name
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/mybb/mybb/security/advisories/GHSA-p9m7-9qv4-x93w | Patch, Third Party Advisory | |
| cve@mitre.org | https://mybb.com | Product | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/mybb/mybb/security/advisories/GHSA-p9m7-9qv4-x93w | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mybb.com | Product |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:mybb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "81E81B96-4E85-4D0F-BEB7-D2A8E71DDD02",
"versionEndExcluding": "1.8.32",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "MyBB 1.8.31 has a (issue 2 of 2) cross-site scripting (XSS) vulnerabilities in the post Attachments interface allow attackers to inject HTML by persuading the user to upload a file with specially crafted name"
},
{
"lang": "es",
"value": "MyBB 1.8.31 tiene (problema 2 de 2) vulnerabilidades de Cross-Site Scripting (XSS) en la interfaz de archivos adjuntos que permite a los atacantes inyectar HTML persuadiendo al usuario a cargar un archivo con un nombre especialmente manipulado."
}
],
"id": "CVE-2022-43708",
"lastModified": "2025-04-29T15:15:50.237",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2022-11-22T00:15:12.007",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/mybb/mybb/security/advisories/GHSA-p9m7-9qv4-x93w"
},
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "https://mybb.com"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/mybb/mybb/security/advisories/GHSA-p9m7-9qv4-x93w"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://mybb.com"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-05-22 19:15
Modified
2024-11-21 07:55
Severity ?
Summary
In MyBB before 1.8.34, there is XSS in the User CP module via the user email field.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/mybb/mybb/security/advisories/GHSA-3q8x-9fh2-v646 | Patch, Release Notes, Third Party Advisory | |
| cve@mitre.org | https://mybb.com | Product | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/mybb/mybb/security/advisories/GHSA-3q8x-9fh2-v646 | Patch, Release Notes, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mybb.com | Product |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:mybb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D7F6C2C7-3E6F-4861-B774-EAA1912EDA23",
"versionEndExcluding": "1.8.34",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In MyBB before 1.8.34, there is XSS in the User CP module via the user email field."
}
],
"id": "CVE-2023-28467",
"lastModified": "2024-11-21T07:55:08.857",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-05-22T19:15:10.017",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/mybb/mybb/security/advisories/GHSA-3q8x-9fh2-v646"
},
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "https://mybb.com"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/mybb/mybb/security/advisories/GHSA-3q8x-9fh2-v646"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://mybb.com"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2014-03-03 16:55
Modified
2025-04-12 10:46
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in Upload/search.php in MyBB 1.6.12 and earlier allows remote attackers to inject arbitrary web script or HTML via the keywords parameter in a do_search action, which is not properly handled in a forced SQL error message.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:mybb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6568D304-291D-4627-83BD-8859415CC666",
"versionEndIncluding": "1.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E5B50C36-C3D7-48FD-805B-4A94E727C93F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.6.1:*:*:*:*:*:*:*",
"matchCriteriaId": "FBEB75D4-FAA4-4A5B-AA0A-57EE8EE88E61",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.6.2:*:*:*:*:*:*:*",
"matchCriteriaId": "00E51ABC-9F77-4028-BE47-D5BFD4FEC749",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.6.3:*:*:*:*:*:*:*",
"matchCriteriaId": "E0BD20D9-0DFC-451F-9C71-38C6D0236CF2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.6.4:*:*:*:*:*:*:*",
"matchCriteriaId": "FDFE35CB-05CC-4E6F-B188-1141773E7F10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.6.5:*:*:*:*:*:*:*",
"matchCriteriaId": "22A90F66-DAE9-45FC-B255-390D569CCC56",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.6.6:*:*:*:*:*:*:*",
"matchCriteriaId": "E1A3FDDB-9488-405B-A2A0-500CF49061BE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.6.7:*:*:*:*:*:*:*",
"matchCriteriaId": "04264BC5-425C-47D4-9EE0-35BF11B904F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.6.8:*:*:*:*:*:*:*",
"matchCriteriaId": "5E42628F-7E7F-4E3A-BB8E-699166CB86B3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.6.9:*:*:*:*:*:*:*",
"matchCriteriaId": "A02FA2FA-E035-40CD-9C0F-A143A931D40D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.6.10:*:*:*:*:*:*:*",
"matchCriteriaId": "F52B8848-9103-4A78-A45B-6BE73855647A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.6.11:*:*:*:*:*:*:*",
"matchCriteriaId": "C7170B92-1D43-49CA-BC79-469F0C8965D6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in Upload/search.php in MyBB 1.6.12 and earlier allows remote attackers to inject arbitrary web script or HTML via the keywords parameter in a do_search action, which is not properly handled in a forced SQL error message."
},
{
"lang": "es",
"value": "Vulnerabilidad de XSS en Upload/search.php en MyBB 1.6.12 y anteriores permite a atacantes remotos inyectar script Web o HTML arbitrarios a trav\u00e9s del par\u00e1metro keywords en una acci\u00f3n do_search, que no es manejado debidamente en un mensaje de error forzado de SQL."
}
],
"id": "CVE-2014-1840",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2014-03-03T16:55:04.320",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://osandamalith.wordpress.com/2014/02/02/mybb-1-6-12-post-xss-0day/"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://packetstormsecurity.com/files/125038/MyBB-1.6.12-POST-Cross-Site-Scripting.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://osandamalith.wordpress.com/2014/02/02/mybb-1-6-12-post-xss-0day/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://packetstormsecurity.com/files/125038/MyBB-1.6.12-POST-Cross-Site-Scripting.html"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-11-06 18:15
Modified
2024-11-21 08:28
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
MyBB is a free and open source forum software. Custom MyCode (BBCode) for the visual editor (_SCEditor_) doesn't escape input properly when rendering HTML, resulting in a DOM-based XSS vulnerability. This weakness can be exploited by pointing a victim to a page where the visual editor is active (e.g. as a post or Private Message) and operates on a maliciously crafted MyCode message. This may occur on pages where message content is pre-filled using a GET/POST parameter, or on reply pages where a previously saved malicious message is quoted. The impact is be mitigated when: 1. the visual editor is disabled globally (_Admin CP → Configuration → Settings → Clickable Smilies and BB Code: [Clickable MyCode Editor](https://github.com/mybb/mybb/blob/mybb_1836/install/resources/settings.xml#L2087-L2094)_ is set to _Off_), or 2. the visual editor is disabled for individual user accounts (_User CP → Your Profile → Edit Options_: _Show the MyCode formatting options on the posting pages_ checkbox is not checked). MyBB 1.8.37 resolves this issue with the commit `6dcaf0b4d`. Users are advised to upgrade. Users unable to upgrade may mitigate the impact without upgrading MyBB by changing the following setting (_Admin CP → Configuration → Settings_):
- _Clickable Smilies and BB Code → [Clickable MyCode Editor](https://github.com/mybb/mybb/blob/mybb_1836/install/resources/settings.xml#L2087-L2094)_: _Off_. Similarly, individual MyBB forum users are able to disable the visual editor by diabling the account option (_User CP → Your Profile → Edit Options_) _Show the MyCode formatting options on the posting pages_.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:mybb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EC8DBC6D-0D47-46D6-A840-36BF42F37437",
"versionEndExcluding": "1.8.37",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": " MyBB is a free and open source forum software. Custom MyCode (BBCode) for the visual editor (_SCEditor_) doesn\u0027t escape input properly when rendering HTML, resulting in a DOM-based XSS vulnerability. This weakness can be exploited by pointing a victim to a page where the visual editor is active (e.g. as a post or Private Message) and operates on a maliciously crafted MyCode message. This may occur on pages where message content is pre-filled using a GET/POST parameter, or on reply pages where a previously saved malicious message is quoted. The impact is be mitigated when: 1. the visual editor is disabled globally (_Admin CP \u2192 Configuration \u2192 Settings \u2192 Clickable Smilies and BB Code: [Clickable MyCode Editor](https://github.com/mybb/mybb/blob/mybb_1836/install/resources/settings.xml#L2087-L2094)_ is set to _Off_), or 2. the visual editor is disabled for individual user accounts (_User CP \u2192 Your Profile \u2192 Edit Options_: _Show the MyCode formatting options on the posting pages_ checkbox is not checked). MyBB 1.8.37 resolves this issue with the commit `6dcaf0b4d`. Users are advised to upgrade. Users unable to upgrade may mitigate the impact without upgrading MyBB by changing the following setting (_Admin CP \u2192 Configuration \u2192 Settings_):\n- _Clickable Smilies and BB Code \u2192 [Clickable MyCode Editor](https://github.com/mybb/mybb/blob/mybb_1836/install/resources/settings.xml#L2087-L2094)_: _Off_. Similarly, individual MyBB forum users are able to disable the visual editor by diabling the account option (_User CP \u2192 Your Profile \u2192 Edit Options_) _Show the MyCode formatting options on the posting pages_."
},
{
"lang": "es",
"value": "MyBB es un software de foro gratuito y de c\u00f3digo abierto. El MyCode personalizado (BBCode) para el editor visual (_SCEditor_) no sanitiza la entrada correctamente al representar HTML, lo que genera una vulnerabilidad XSS basada en DOM. Esta debilidad se puede explotar dirigiendo a la v\u00edctima a una p\u00e1gina donde el editor visual est\u00e1 activo (por ejemplo, como una publicaci\u00f3n o mensaje privado) y opera con un mensaje MyCode creado con fines malintencionados. Esto puede ocurrir en p\u00e1ginas donde el contenido del mensaje se completa previamente mediante un par\u00e1metro GET/POST, o en p\u00e1ginas de respuesta donde se cita un mensaje malicioso previamente guardado. El impacto se mitiga cuando: \n1. el editor visual est\u00e1 deshabilitado globalmente (_Admin CP ? Configuration ? Settings ? Clickable Smilies and BB Code: [Clickable MyCode Editor](https://github.com/mybb/mybb/blob/mybb_1836/install/resources/settings.xml#L2087-L2094)_ is set to _Off_), o \n2. el editor visual est\u00e1 deshabilitado para cuentas de usuario individuales (_User CP ? Your Profile ? Edit Options_: _Show the MyCode formatting options on the posting pages_ checkbox is not checked).\nMyBB 1.8.37 resuelve este problema con el commit `6dcaf0b4d`. Se recomienda a los usuarios que actualicen. Los usuarios que no puedan actualizar pueden mitigar el impacto sin actualizar MyBB cambiando la siguiente configuraci\u00f3n (_Admin CP ? Configuration ? Settings_): - _Clickable Smilies and BB Code ? [Clickable MyCode Editor](https://github.com/mybb/mybb/blob/mybb_1836/install/resources/settings.xml#L2087-L2094)_: _Off_. \nDe manera similar, los usuarios individuales del foro MyBB pueden desactivar el editor visual marcando la opci\u00f3n de cuenta (_User CP ? Your Profile ? Edit Options_)_Show the MyCode formatting options on the posting pages_."
}
],
"id": "CVE-2023-46251",
"lastModified": "2024-11-21T08:28:10.273",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 5.9,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-11-06T18:15:08.547",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/mybb/mybb/commit/6dcaf0b4db6254f1833fe8dae295d9ddc2219276"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/mybb/mybb/security/advisories/GHSA-wj33-q7vj-9fr8"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://mybb.com/versions/1.8.37/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/mybb/mybb/commit/6dcaf0b4db6254f1833fe8dae295d9ddc2219276"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/mybb/mybb/security/advisories/GHSA-wj33-q7vj-9fr8"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://mybb.com/versions/1.8.37/"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2012-08-30 22:55
Modified
2025-04-11 00:51
Severity ?
Summary
Unspecified vulnerability in MyBB before 1.6.5 has unknown impact and attack vectors, related to an "unparsed user avatar in the buddy list."
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mybb | mybb | * | |
| mybb | mybb | 1.1.0 | |
| mybb | mybb | 1.1.1 | |
| mybb | mybb | 1.1.2 | |
| mybb | mybb | 1.1.3 | |
| mybb | mybb | 1.1.4 | |
| mybb | mybb | 1.1.5 | |
| mybb | mybb | 1.1.6 | |
| mybb | mybb | 1.1.7 | |
| mybb | mybb | 1.1.8 | |
| mybb | mybb | 1.2 | |
| mybb | mybb | 1.2.0 | |
| mybb | mybb | 1.2.1 | |
| mybb | mybb | 1.2.2 | |
| mybb | mybb | 1.2.3 | |
| mybb | mybb | 1.2.4 | |
| mybb | mybb | 1.2.5 | |
| mybb | mybb | 1.2.6 | |
| mybb | mybb | 1.2.7 | |
| mybb | mybb | 1.2.8 | |
| mybb | mybb | 1.2.9 | |
| mybb | mybb | 1.2.10 | |
| mybb | mybb | 1.2.11 | |
| mybb | mybb | 1.2.12 | |
| mybb | mybb | 1.2.13 | |
| mybb | mybb | 1.2.14 | |
| mybb | mybb | 1.3 | |
| mybb | mybb | 1.4.0 | |
| mybb | mybb | 1.4.1 | |
| mybb | mybb | 1.4.2 | |
| mybb | mybb | 1.4.3 | |
| mybb | mybb | 1.4.4 | |
| mybb | mybb | 1.4.5 | |
| mybb | mybb | 1.4.6 | |
| mybb | mybb | 1.4.7 | |
| mybb | mybb | 1.4.8 | |
| mybb | mybb | 1.4.9 | |
| mybb | mybb | 1.4.10 | |
| mybb | mybb | 1.4.11 | |
| mybb | mybb | 1.4.12 | |
| mybb | mybb | 1.4.13 | |
| mybb | mybb | 1.4.14 | |
| mybb | mybb | 1.4.15 | |
| mybb | mybb | 1.4.16 | |
| mybb | mybb | 1.5.1 | |
| mybb | mybb | 1.5.2 | |
| mybb | mybb | 1.6.0 | |
| mybb | mybb | 1.6.1 | |
| mybb | mybb | 1.6.2 | |
| mybb | mybb | 1.6.3 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:mybb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6EF48E06-2401-400C-B4DB-F26505D0638C",
"versionEndIncluding": "1.6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "CF143B59-5C78-4BF6-9368-5BCF427B4753",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "B16F6F07-F5A9-47BF-88ED-25F068B68CF6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "A8A46A48-1361-4DD3-B97D-4C4FC776D68A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "337D89AE-1B7A-4101-B1F7-DFEDF2369385",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "BE08AF25-EDB1-4DA1-B431-F0692858AAAA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "BF24E7BA-3144-4DBA-9613-A44FBE0822F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.6:*:*:*:*:*:*:*",
"matchCriteriaId": "029430A5-85BD-4258-B58D-F3DCBC625E5B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.7:*:*:*:*:*:*:*",
"matchCriteriaId": "4183DB7F-FAB3-4D90-AD87-31CA4150CFDD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.8:*:*:*:*:*:*:*",
"matchCriteriaId": "3E2B90B8-DC02-4C79-BD69-DEF79945C418",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "4E080342-93CD-4E74-AE60-5858738CE7F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B48D2EDF-86C2-475C-9476-E5A2D586CA0E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "B6725373-C229-4B57-BB1E-AF178E19DEB0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "36E4C84A-21D5-4C9A-85F8-45C9657CE6F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "C7E55085-E3E3-4BB8-A680-19A28D7E88F4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "AB01A9AA-AE70-46DF-815A-05D1101EE706",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "98AFD77B-A046-4AB9-B6F4-FFFF66C63C68",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.6:*:*:*:*:*:*:*",
"matchCriteriaId": "AA00D38E-AAF6-4F66-9203-5C074FC61F30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.7:*:*:*:*:*:*:*",
"matchCriteriaId": "137A8CED-BE82-462F-B83C-15F535961E74",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.8:*:*:*:*:*:*:*",
"matchCriteriaId": "D179FDB6-9B1D-438C-B512-9A5C4F869A4C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.9:*:*:*:*:*:*:*",
"matchCriteriaId": "B3E72A13-6B4A-4C7F-B8D9-A2D35E074B67",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.10:*:*:*:*:*:*:*",
"matchCriteriaId": "3A2D344F-4671-4194-A553-A5773B5DF3B1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.11:*:*:*:*:*:*:*",
"matchCriteriaId": "245760C8-DC10-47F1-843A-461AE2F3DF61",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.12:*:*:*:*:*:*:*",
"matchCriteriaId": "A055E6BF-3CAC-4C74-8E37-A89E3E0F8559",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.13:*:*:*:*:*:*:*",
"matchCriteriaId": "1121A071-3709-4B2B-ADF4-EDC560F73E0A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.14:*:*:*:*:*:*:*",
"matchCriteriaId": "71FD2842-7E00-440F-8A93-9D3F45A004DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.3:pre-1.0:*:*:*:*:*:*",
"matchCriteriaId": "16C45BFE-A083-4DC8-A2E5-9BCE543F5AE4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "3FC8864E-161F-408E-93D6-693A9238C494",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "4C5965DE-D9B6-4074-B14B-ABCAAAAB872B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "9503D6C2-DCBC-4720-BE29-34913950407E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.3:*:*:*:*:*:*:*",
"matchCriteriaId": "0F6FC2B1-45DF-439E-8BAE-A15A08E7D9F7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.4:*:*:*:*:*:*:*",
"matchCriteriaId": "853E94FE-A56F-44B0-87FE-DE5927B7A547",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.5:*:*:*:*:*:*:*",
"matchCriteriaId": "49C7F758-9E38-4870-85C3-11E350F96641",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.6:*:*:*:*:*:*:*",
"matchCriteriaId": "B46B7E13-51F8-4950-BBB4-A03B8E5B4750",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.7:*:*:*:*:*:*:*",
"matchCriteriaId": "58C9C804-6901-412C-B178-183417BD5C04",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.8:*:*:*:*:*:*:*",
"matchCriteriaId": "A00F1254-67DE-436D-AB83-1C55639BDBD2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.9:*:*:*:*:*:*:*",
"matchCriteriaId": "AC2FDC2B-2CB4-433F-9290-3A6BE0A929B5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.10:*:*:*:*:*:*:*",
"matchCriteriaId": "1FF9452B-CF4B-45F0-8487-23D9CCBB1A4A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.11:*:*:*:*:*:*:*",
"matchCriteriaId": "2021275B-D61A-4309-8876-5354E115CB29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.12:*:*:*:*:*:*:*",
"matchCriteriaId": "7925DEA1-8062-45C9-94E7-19D8FACEAFCD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.13:*:*:*:*:*:*:*",
"matchCriteriaId": "D35E537F-0F49-40AB-9E97-7898D91353D1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.14:*:*:*:*:*:*:*",
"matchCriteriaId": "BCDC1181-A2B7-4D1B-B2BF-DAC9E58E88C3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.15:*:*:*:*:*:*:*",
"matchCriteriaId": "57C37D10-B945-4674-A846-BCEC573FF93C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.16:*:*:*:*:*:*:*",
"matchCriteriaId": "4FD245B9-1381-4A1B-AF47-F28349FA6F52",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "2AFD7848-56E4-4608-82E7-CFF46A8809AC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "CC489F94-3545-4E1A-AE9E-B88EB1A7D516",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E5B50C36-C3D7-48FD-805B-4A94E727C93F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.6.1:*:*:*:*:*:*:*",
"matchCriteriaId": "FBEB75D4-FAA4-4A5B-AA0A-57EE8EE88E61",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.6.2:*:*:*:*:*:*:*",
"matchCriteriaId": "00E51ABC-9F77-4028-BE47-D5BFD4FEC749",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.6.3:*:*:*:*:*:*:*",
"matchCriteriaId": "E0BD20D9-0DFC-451F-9C71-38C6D0236CF2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Unspecified vulnerability in MyBB before 1.6.5 has unknown impact and attack vectors, related to an \"unparsed user avatar in the buddy list.\""
},
{
"lang": "es",
"value": "Vulnerabilidad no especificada en MyBB anterior a v1.6.5 tiene un impacto desconocido y vectores de ataque tambi\u00e9n desconocidos, relacionados con un \"avatar de usuario no parseado en una lista (buddy)\"."
}
],
"id": "CVE-2011-5133",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": true,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2012-08-30T22:55:04.233",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://blog.mybb.com/2011/11/25/mybb-1-6-5-released-feature-update-security-maintenance-release/"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/46951"
},
{
"source": "cve@mitre.org",
"url": "http://www.osvdb.org/77325"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/50816"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://blog.mybb.com/2011/11/25/mybb-1-6-5-released-feature-update-security-maintenance-release/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/46951"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.osvdb.org/77325"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/50816"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2008-07-27 23:41
Modified
2025-04-09 00:30
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in MyBB 1.2.x before 1.2.14 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, possibly involving search.php.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mybb | mybb | * | |
| mybb | mybb | 1.00 | |
| mybb | mybb | 1.01 | |
| mybb | mybb | 1.1.0 | |
| mybb | mybb | 1.1.1 | |
| mybb | mybb | 1.1.2 | |
| mybb | mybb | 1.1.3 | |
| mybb | mybb | 1.1.4 | |
| mybb | mybb | 1.1.5 | |
| mybb | mybb | 1.1.6 | |
| mybb | mybb | 1.1.7 | |
| mybb | mybb | 1.1.8 | |
| mybb | mybb | 1.02 | |
| mybb | mybb | 1.2.0 | |
| mybb | mybb | 1.2.1 | |
| mybb | mybb | 1.2.2 | |
| mybb | mybb | 1.2.3 | |
| mybb | mybb | 1.2.4 | |
| mybb | mybb | 1.2.5 | |
| mybb | mybb | 1.2.6 | |
| mybb | mybb | 1.2.7 | |
| mybb | mybb | 1.2.8 | |
| mybb | mybb | 1.2.9 | |
| mybb | mybb | 1.2.10 | |
| mybb | mybb | 1.2.11 | |
| mybb | mybb | 1.2.12 | |
| mybb | mybb | 1.03 | |
| mybb | mybb | 1.04 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:mybb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E3067FB9-BCAA-4B7D-A3FE-8164C32C7440",
"versionEndIncluding": "1.2.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.00:*:*:*:*:*:*:*",
"matchCriteriaId": "BD61D970-9363-4A75-A8DB-D0EBA2CF0D53",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.01:*:*:*:*:*:*:*",
"matchCriteriaId": "990E206E-5E2C-4A68-9FDF-CD47F7524054",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "CF143B59-5C78-4BF6-9368-5BCF427B4753",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "B16F6F07-F5A9-47BF-88ED-25F068B68CF6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "A8A46A48-1361-4DD3-B97D-4C4FC776D68A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "337D89AE-1B7A-4101-B1F7-DFEDF2369385",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "BE08AF25-EDB1-4DA1-B431-F0692858AAAA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "BF24E7BA-3144-4DBA-9613-A44FBE0822F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.6:*:*:*:*:*:*:*",
"matchCriteriaId": "029430A5-85BD-4258-B58D-F3DCBC625E5B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.7:*:*:*:*:*:*:*",
"matchCriteriaId": "4183DB7F-FAB3-4D90-AD87-31CA4150CFDD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.8:*:*:*:*:*:*:*",
"matchCriteriaId": "3E2B90B8-DC02-4C79-BD69-DEF79945C418",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.02:*:*:*:*:*:*:*",
"matchCriteriaId": "C5C52215-D236-4D1A-9E30-14B9676FB68A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B48D2EDF-86C2-475C-9476-E5A2D586CA0E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "B6725373-C229-4B57-BB1E-AF178E19DEB0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "36E4C84A-21D5-4C9A-85F8-45C9657CE6F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "C7E55085-E3E3-4BB8-A680-19A28D7E88F4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "AB01A9AA-AE70-46DF-815A-05D1101EE706",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "98AFD77B-A046-4AB9-B6F4-FFFF66C63C68",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.6:*:*:*:*:*:*:*",
"matchCriteriaId": "AA00D38E-AAF6-4F66-9203-5C074FC61F30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.7:*:*:*:*:*:*:*",
"matchCriteriaId": "137A8CED-BE82-462F-B83C-15F535961E74",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.8:*:*:*:*:*:*:*",
"matchCriteriaId": "D179FDB6-9B1D-438C-B512-9A5C4F869A4C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.9:*:*:*:*:*:*:*",
"matchCriteriaId": "B3E72A13-6B4A-4C7F-B8D9-A2D35E074B67",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.10:*:*:*:*:*:*:*",
"matchCriteriaId": "3A2D344F-4671-4194-A553-A5773B5DF3B1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.11:*:*:*:*:*:*:*",
"matchCriteriaId": "245760C8-DC10-47F1-843A-461AE2F3DF61",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.12:*:*:*:*:*:*:*",
"matchCriteriaId": "A055E6BF-3CAC-4C74-8E37-A89E3E0F8559",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.03:*:*:*:*:*:*:*",
"matchCriteriaId": "F6ABDEE8-D463-47CA-998D-33472F3382F3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.04:*:*:*:*:*:*:*",
"matchCriteriaId": "DE44965F-F968-4CD2-9F21-1E1A92F5F7F2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in MyBB 1.2.x before 1.2.14 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, possibly involving search.php."
},
{
"lang": "es",
"value": "Una vulnerabilidad de tipo cross-site scripting (XSS) en MyBB versiones 1.2.x anteriores a 1.2.14, permite a los atacantes remotos inyectar script web o HTML arbitrario por medio de vectores no especificados, posiblemente involucrando el archivo search.php."
}
],
"id": "CVE-2008-3334",
"lastModified": "2025-04-09T00:30:58.490",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2008-07-27T23:41:00.000",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://community.mybboard.net/thread-33865.html"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/31216"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/30401"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/44034"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://community.mybboard.net/thread-33865.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/31216"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/30401"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/44034"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2008-11-04 21:00
Modified
2025-04-09 00:30
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
MyBB (aka MyBulletinBoard) 1.4.2 uses insufficient randomness to compose filenames of uploaded files used as attachments, which makes it easier for remote attackers to read these files by guessing filenames.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "9503D6C2-DCBC-4720-BE29-34913950407E",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "MyBB (aka MyBulletinBoard) 1.4.2 uses insufficient randomness to compose filenames of uploaded files used as attachments, which makes it easier for remote attackers to read these files by guessing filenames."
},
{
"lang": "es",
"value": "MyBB (tambi\u00e9n conocido como MyBulletinBoard) v1.4.2 no emplea suficiente aleatoriedad para componer los nombres de los ficheros que se hayan subido como adjuntos; esto facilita a los atacantes remotos leer estos ficheros deduciendo su nombre."
}
],
"id": "CVE-2008-4929",
"lastModified": "2025-04-09T00:30:58.490",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2008-11-04T21:00:05.957",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Broken Link",
"Exploit"
],
"url": "http://archives.neohapsis.com/archives/bugtraq/2008-10/0203.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Broken Link",
"Exploit"
],
"url": "http://archives.neohapsis.com/archives/fulldisclosure/2008-10/0472.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Mailing List"
],
"url": "http://www.openwall.com/lists/oss-security/2008/11/01/2"
},
{
"source": "cve@mitre.org",
"tags": [
"Broken Link",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/31936"
},
{
"source": "cve@mitre.org",
"tags": [
"Broken Link"
],
"url": "http://www.vupen.com/english/advisories/2008/2967"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link",
"Exploit"
],
"url": "http://archives.neohapsis.com/archives/bugtraq/2008-10/0203.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link",
"Exploit"
],
"url": "http://archives.neohapsis.com/archives/fulldisclosure/2008-10/0472.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Mailing List"
],
"url": "http://www.openwall.com/lists/oss-security/2008/11/01/2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/31936"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "http://www.vupen.com/english/advisories/2008/2967"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-330"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-01-31 22:59
Modified
2025-04-20 01:37
Severity ?
Summary
The Admin control panel in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 allows remote attackers to conduct clickjacking attacks via unspecified vectors.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://www.openwall.com/lists/oss-security/2016/11/10/8 | Mailing List, Patch, Third Party Advisory | |
| cve@mitre.org | http://www.openwall.com/lists/oss-security/2016/11/18/1 | Mailing List, Patch, Third Party Advisory | |
| cve@mitre.org | http://www.securityfocus.com/bid/94395 | Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://blog.mybb.com/2016/03/11/mybb-1-8-7-merge-system-1-8-7-release/ | Patch, Third Party Advisory, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2016/11/10/8 | Mailing List, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2016/11/18/1 | Mailing List, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/94395 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://blog.mybb.com/2016/03/11/mybb-1-8-7-merge-system-1-8-7-release/ | Patch, Third Party Advisory, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mybb | merge_system | * | |
| mybb | mybb | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:merge_system:*:*:*:*:*:*:*:*",
"matchCriteriaId": "716986AC-5E6D-4DDD-A553-B88981BDE788",
"versionEndIncluding": "1.8.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2212E819-C064-4963-BCD2-214F09A46902",
"versionEndIncluding": "1.8.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Admin control panel in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 allows remote attackers to conduct clickjacking attacks via unspecified vectors."
},
{
"lang": "es",
"value": "El panel de control Admin en MyBB (tambi\u00e9n conocido como MyBulletinBoard) en versiones anteriores a 1.8.7 y MyBB Merge System en versiones anteriores a 1.8.7 permite a los atacantes remotos realizar ataques de secuestro de clic a trav\u00e9s de vectores no especificados."
}
],
"id": "CVE-2016-9413",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-01-31T22:59:01.453",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/10/8"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/18/1"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/94395"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory",
"Vendor Advisory"
],
"url": "https://blog.mybb.com/2016/03/11/mybb-1-8-7-merge-system-1-8-7-release/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/10/8"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/18/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/94395"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory",
"Vendor Advisory"
],
"url": "https://blog.mybb.com/2016/03/11/mybb-1-8-7-merge-system-1-8-7-release/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-284"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2006-01-16 21:03
Modified
2025-04-03 01:03
Severity ?
Summary
Multiple unspecified vulnerabilities in MyBulletinBoard (MyBB) before 1.0.2 have unspecified impact and attack vectors, related to (1) admin/moderate.php, (2) admin/themes.php, (3) inc/functions.php, (4) inc/functions_upload.php, (5) printthread.php, and (6) usercp.php, and probably related to SQL injection. NOTE: it is likely that this issue subsumes CVE-2005-4602 and CVE-2005-4603. However, since the vendor advisory is vague and additional files are mentioned, is is likely that this contains at least one distinct vulnerability from CVE-2005-4602 and CVE-2005-4603.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://community.mybboard.net/showthread.php?tid=5852 | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://community.mybboard.net/showthread.php?tid=5852 | Patch, Vendor Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:mybb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D04CCBA4-FD62-41BA-838C-A307BA792E8F",
"versionEndIncluding": "1.01",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.00:*:*:*:*:*:*:*",
"matchCriteriaId": "BD61D970-9363-4A75-A8DB-D0EBA2CF0D53",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.0:beta4:*:*:*:*:*:*",
"matchCriteriaId": "C14F8B95-1A33-4DA8-8DE4-35C7DC3590CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.0:pr1:*:*:*:*:*:*",
"matchCriteriaId": "CD7728CD-1FA0-4428-B3FC-883781A699CD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.0:pr2:*:*:*:*:*:*",
"matchCriteriaId": "0883675F-9442-49E7-8471-C205B7EA201D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "B85E419B-F9D3-4839-A15C-F22BF9DABFAC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "EAB8B860-71DC-4F45-9E2A-74BD1C2ED893",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "C67749DF-F8AF-4C88-A120-0F48307C58E1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.0:rc4:*:*:*:*:*:*",
"matchCriteriaId": "FD0820A0-5D85-446F-9B7E-F8DB258A1178",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple unspecified vulnerabilities in MyBulletinBoard (MyBB) before 1.0.2 have unspecified impact and attack vectors, related to (1) admin/moderate.php, (2) admin/themes.php, (3) inc/functions.php, (4) inc/functions_upload.php, (5) printthread.php, and (6) usercp.php, and probably related to SQL injection. NOTE: it is likely that this issue subsumes CVE-2005-4602 and CVE-2005-4603. However, since the vendor advisory is vague and additional files are mentioned, is is likely that this contains at least one distinct vulnerability from CVE-2005-4602 and CVE-2005-4603."
}
],
"id": "CVE-2006-0218",
"lastModified": "2025-04-03T01:03:51.193",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": true,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 10.0,
"obtainAllPrivilege": true,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2006-01-16T21:03:00.000",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://community.mybboard.net/showthread.php?tid=5852"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://community.mybboard.net/showthread.php?tid=5852"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2010-12-30 21:00
Modified
2025-04-11 00:51
Severity ?
Summary
Cross-site request forgery (CSRF) vulnerability in usercp2.php in MyBB (aka MyBulletinBoard) before 1.4.12 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mybb | mybb | * | |
| mybb | mybb | 1.00 | |
| mybb | mybb | 1.01 | |
| mybb | mybb | 1.1.0 | |
| mybb | mybb | 1.1.1 | |
| mybb | mybb | 1.1.2 | |
| mybb | mybb | 1.1.3 | |
| mybb | mybb | 1.1.4 | |
| mybb | mybb | 1.1.5 | |
| mybb | mybb | 1.1.6 | |
| mybb | mybb | 1.1.7 | |
| mybb | mybb | 1.1.8 | |
| mybb | mybb | 1.02 | |
| mybb | mybb | 1.2 | |
| mybb | mybb | 1.2.0 | |
| mybb | mybb | 1.2.1 | |
| mybb | mybb | 1.2.2 | |
| mybb | mybb | 1.2.3 | |
| mybb | mybb | 1.2.4 | |
| mybb | mybb | 1.2.5 | |
| mybb | mybb | 1.2.6 | |
| mybb | mybb | 1.2.7 | |
| mybb | mybb | 1.2.8 | |
| mybb | mybb | 1.2.9 | |
| mybb | mybb | 1.2.10 | |
| mybb | mybb | 1.2.11 | |
| mybb | mybb | 1.2.12 | |
| mybb | mybb | 1.2.13 | |
| mybb | mybb | 1.03 | |
| mybb | mybb | 1.04 | |
| mybb | mybb | 1.4.0 | |
| mybb | mybb | 1.4.2 | |
| mybb | mybb | 1.4.3 | |
| mybb | mybb | 1.4.6 | |
| mybb | mybb | 1.4.8 | |
| mybb | mybb | 1.4.9 | |
| mybb | mybb | 1.4.10 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:mybb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AA9326ED-4299-46B9-B654-0BC7C5282903",
"versionEndIncluding": "1.4.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.00:*:*:*:*:*:*:*",
"matchCriteriaId": "BD61D970-9363-4A75-A8DB-D0EBA2CF0D53",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.01:*:*:*:*:*:*:*",
"matchCriteriaId": "990E206E-5E2C-4A68-9FDF-CD47F7524054",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "CF143B59-5C78-4BF6-9368-5BCF427B4753",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "B16F6F07-F5A9-47BF-88ED-25F068B68CF6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "A8A46A48-1361-4DD3-B97D-4C4FC776D68A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "337D89AE-1B7A-4101-B1F7-DFEDF2369385",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "BE08AF25-EDB1-4DA1-B431-F0692858AAAA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "BF24E7BA-3144-4DBA-9613-A44FBE0822F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.6:*:*:*:*:*:*:*",
"matchCriteriaId": "029430A5-85BD-4258-B58D-F3DCBC625E5B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.7:*:*:*:*:*:*:*",
"matchCriteriaId": "4183DB7F-FAB3-4D90-AD87-31CA4150CFDD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.8:*:*:*:*:*:*:*",
"matchCriteriaId": "3E2B90B8-DC02-4C79-BD69-DEF79945C418",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.02:*:*:*:*:*:*:*",
"matchCriteriaId": "C5C52215-D236-4D1A-9E30-14B9676FB68A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "4E080342-93CD-4E74-AE60-5858738CE7F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B48D2EDF-86C2-475C-9476-E5A2D586CA0E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "B6725373-C229-4B57-BB1E-AF178E19DEB0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "36E4C84A-21D5-4C9A-85F8-45C9657CE6F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "C7E55085-E3E3-4BB8-A680-19A28D7E88F4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "AB01A9AA-AE70-46DF-815A-05D1101EE706",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "98AFD77B-A046-4AB9-B6F4-FFFF66C63C68",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.6:*:*:*:*:*:*:*",
"matchCriteriaId": "AA00D38E-AAF6-4F66-9203-5C074FC61F30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.7:*:*:*:*:*:*:*",
"matchCriteriaId": "137A8CED-BE82-462F-B83C-15F535961E74",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.8:*:*:*:*:*:*:*",
"matchCriteriaId": "D179FDB6-9B1D-438C-B512-9A5C4F869A4C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.9:*:*:*:*:*:*:*",
"matchCriteriaId": "B3E72A13-6B4A-4C7F-B8D9-A2D35E074B67",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.10:*:*:*:*:*:*:*",
"matchCriteriaId": "3A2D344F-4671-4194-A553-A5773B5DF3B1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.11:*:*:*:*:*:*:*",
"matchCriteriaId": "245760C8-DC10-47F1-843A-461AE2F3DF61",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.12:*:*:*:*:*:*:*",
"matchCriteriaId": "A055E6BF-3CAC-4C74-8E37-A89E3E0F8559",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.13:*:*:*:*:*:*:*",
"matchCriteriaId": "1121A071-3709-4B2B-ADF4-EDC560F73E0A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.03:*:*:*:*:*:*:*",
"matchCriteriaId": "F6ABDEE8-D463-47CA-998D-33472F3382F3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.04:*:*:*:*:*:*:*",
"matchCriteriaId": "DE44965F-F968-4CD2-9F21-1E1A92F5F7F2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "3FC8864E-161F-408E-93D6-693A9238C494",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "9503D6C2-DCBC-4720-BE29-34913950407E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.3:*:*:*:*:*:*:*",
"matchCriteriaId": "0F6FC2B1-45DF-439E-8BAE-A15A08E7D9F7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.6:*:*:*:*:*:*:*",
"matchCriteriaId": "B46B7E13-51F8-4950-BBB4-A03B8E5B4750",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.8:*:*:*:*:*:*:*",
"matchCriteriaId": "A00F1254-67DE-436D-AB83-1C55639BDBD2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.9:*:*:*:*:*:*:*",
"matchCriteriaId": "AC2FDC2B-2CB4-433F-9290-3A6BE0A929B5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.10:*:*:*:*:*:*:*",
"matchCriteriaId": "1FF9452B-CF4B-45F0-8487-23D9CCBB1A4A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site request forgery (CSRF) vulnerability in usercp2.php in MyBB (aka MyBulletinBoard) before 1.4.12 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors."
},
{
"lang": "es",
"value": "Vulnerabilidad de de falsificaci\u00f3n de petici\u00f3n en sitios cruzados (CSRF) en usercp2.php de MyBB (MyBulletinBoard) en versiones anteriores a la 1.4.12. Permite a atacantes remotos secuestrar la autenticaci\u00f3n de v\u00edctimas sin especificar a trav\u00e9s de vectores desconocidos."
}
],
"id": "CVE-2010-4627",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2010-12-30T21:00:02.597",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://blog.mybb.com/2010/04/13/mybb-1-4-12-released-security-maintenance-update/"
},
{
"source": "cve@mitre.org",
"url": "http://dev.mybboard.net/issues/852"
},
{
"source": "cve@mitre.org",
"url": "http://openwall.com/lists/oss-security/2010/10/08/7"
},
{
"source": "cve@mitre.org",
"url": "http://openwall.com/lists/oss-security/2010/10/11/8"
},
{
"source": "cve@mitre.org",
"url": "http://openwall.com/lists/oss-security/2010/12/06/2"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/64515"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://blog.mybb.com/2010/04/13/mybb-1-4-12-released-security-maintenance-update/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://dev.mybboard.net/issues/852"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://openwall.com/lists/oss-security/2010/10/08/7"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://openwall.com/lists/oss-security/2010/10/11/8"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://openwall.com/lists/oss-security/2010/12/06/2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/64515"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-01-31 22:59
Modified
2025-04-20 01:37
Severity ?
Summary
MyBB (aka MyBulletinBoard) before 1.8.8 and MyBB Merge System before 1.8.8 allow remote attackers to have unspecified impact via vectors related to "loose comparison false positives."
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://www.openwall.com/lists/oss-security/2016/11/10/8 | Mailing List, Patch, Third Party Advisory | |
| cve@mitre.org | http://www.openwall.com/lists/oss-security/2016/11/18/1 | Mailing List, Patch, Third Party Advisory | |
| cve@mitre.org | http://www.securityfocus.com/bid/94396 | Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://blog.mybb.com/2016/10/17/mybb-1-8-8-merge-system-1-8-8-release/ | Patch, Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2016/11/10/8 | Mailing List, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2016/11/18/1 | Mailing List, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/94396 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://blog.mybb.com/2016/10/17/mybb-1-8-8-merge-system-1-8-8-release/ | Patch, Release Notes, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mybb | merge_system | * | |
| mybb | mybb | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:merge_system:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FC4E25F3-7C9D-45E3-8330-961A56BC3C48",
"versionEndIncluding": "1.8.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "78D16782-41C7-4001-8DD1-C7A09B347733",
"versionEndIncluding": "1.8.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "MyBB (aka MyBulletinBoard) before 1.8.8 and MyBB Merge System before 1.8.8 allow remote attackers to have unspecified impact via vectors related to \"loose comparison false positives.\""
},
{
"lang": "es",
"value": "MyBB (tambi\u00e9n conocido como MyBulletinBoard) en versiones anteriores a 1.8.8 y MyBB Merge System en versiones anteriores a 1.8.8 permiten a atacantes remotos tener un impacto no especificado a trav\u00e9s de vectores relacionados con \"comparaci\u00f3n suelta de falsos positivos\"."
}
],
"id": "CVE-2016-9420",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": true,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-01-31T22:59:01.720",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/10/8"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/18/1"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/94396"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Release Notes",
"Vendor Advisory"
],
"url": "https://blog.mybb.com/2016/10/17/mybb-1-8-8-merge-system-1-8-8-release/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/10/8"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/18/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/94396"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Release Notes",
"Vendor Advisory"
],
"url": "https://blog.mybb.com/2016/10/17/mybb-1-8-8-merge-system-1-8-8-release/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-03-15 17:15
Modified
2024-11-21 05:58
Severity ?
Summary
Cross-site Scripting (XSS) vulnerability in MyBB before 1.8.26 via Nested Auto URL when parsing messages.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://packetstormsecurity.com/files/161908/MyBB-1.8.25-Remote-Command-Execution.html | Exploit, Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://blog.sonarsource.com/mybb-remote-code-execution-chain | Exploit, Third Party Advisory | |
| cve@mitre.org | https://github.com/mybb/mybb/security/advisories/GHSA-xhj7-3349-mqcm | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://packetstormsecurity.com/files/161908/MyBB-1.8.25-Remote-Command-Execution.html | Exploit, Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://blog.sonarsource.com/mybb-remote-code-execution-chain | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/mybb/mybb/security/advisories/GHSA-xhj7-3349-mqcm | Patch, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:mybb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E92578FF-AAA5-4F8F-8D78-0662DB9BB02C",
"versionEndExcluding": "1.8.26",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site Scripting (XSS) vulnerability in MyBB before 1.8.26 via Nested Auto URL when parsing messages."
},
{
"lang": "es",
"value": "Una vulnerabilidad de tipo Cross-site Scripting (XSS) en MyBB versiones anteriores a 1.8.26 a trav\u00e9s de Nested Auto URL cuando se analizan los mensajes"
}
],
"id": "CVE-2021-27889",
"lastModified": "2024-11-21T05:58:42.617",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-03-15T17:15:22.517",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/161908/MyBB-1.8.25-Remote-Command-Execution.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://blog.sonarsource.com/mybb-remote-code-execution-chain"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/mybb/mybb/security/advisories/GHSA-xhj7-3349-mqcm"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/161908/MyBB-1.8.25-Remote-Command-Execution.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://blog.sonarsource.com/mybb-remote-code-execution-chain"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/mybb/mybb/security/advisories/GHSA-xhj7-3349-mqcm"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-05-01 07:15
Modified
2025-06-30 15:10
Severity ?
Summary
MyBB is a free and open source forum software. The default list of disallowed remote hosts does not contain the `127.0.0.0/8` block, which may result in a Server-Side Request Forgery (SSRF) vulnerability. The Configuration File's _Disallowed Remote Addresses_ list (`$config['disallowed_remote_addresses']`) contains the address `127.0.0.1`, but does not include the complete block `127.0.0.0/8`. MyBB 1.8.38 resolves this issue in default installations. Administrators of installed boards should update the existing configuration (`inc/config.php`) to include all addresses blocked by default. Additionally, users are advised to verify that it includes any other IPv4 addresses resolving to the server and other internal resources. Users unable to upgrade may manually add 127.0.0.0/8' to their disallowed address list.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:mybb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5AA2C895-E246-429E-A8DA-DE9A52BDEEC9",
"versionEndExcluding": "1.8.38",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "MyBB is a free and open source forum software. The default list of disallowed remote hosts does not contain the `127.0.0.0/8` block, which may result in a Server-Side Request Forgery (SSRF) vulnerability. The Configuration File\u0027s _Disallowed Remote Addresses_ list (`$config[\u0027disallowed_remote_addresses\u0027]`) contains the address `127.0.0.1`, but does not include the complete block `127.0.0.0/8`. MyBB 1.8.38 resolves this issue in default installations. Administrators of installed boards should update the existing configuration (`inc/config.php`) to include all addresses blocked by default. Additionally, users are advised to verify that it includes any other IPv4 addresses resolving to the server and other internal resources. Users unable to upgrade may manually add 127.0.0.0/8\u0027 to their disallowed address list."
},
{
"lang": "es",
"value": "MyBB es un software de foro gratuito y de c\u00f3digo abierto. La lista predeterminada de hosts remotos no permitidos no contiene el bloque `127.0.0.0/8`, lo que puede provocar una vulnerabilidad de Server Side Request Forgery (SSRF). La lista de _Direcciones remotas no permitidas_ del archivo de configuraci\u00f3n (\"$config[\u0027disallowed_remote_addresses\u0027]`) contiene la direcci\u00f3n `127.0.0.1`, pero no incluye el bloque completo `127.0.0.0/8`. MyBB 1.8.38 resuelve este problema en las instalaciones predeterminadas. Los administradores de las placas instaladas deben actualizar la configuraci\u00f3n existente (`inc/config.php`) para incluir todas las direcciones bloqueadas de forma predeterminada. Adem\u00e1s, se recomienda a los usuarios que verifiquen que incluya otras direcciones IPv4 que se resuelvan en el servidor y otros recursos internos. Los usuarios que no puedan actualizar pueden agregar manualmente 127.0.0.0/8\u0027 a su lista de direcciones no permitidas."
}
],
"id": "CVE-2024-23336",
"lastModified": "2025-06-30T15:10:32.987",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.0,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 3.4,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2024-05-01T07:15:38.660",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Product"
],
"url": "https://docs.mybb.com/1.8/administration/configuration-file"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/mybb/mybb/commit/d6a96019025de9149014e06b1df252e6122e5630"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/mybb/mybb/security/advisories/GHSA-qfrj-65mv-h75h"
},
{
"source": "security-advisories@github.com",
"tags": [
"Product",
"Release Notes"
],
"url": "https://mybb.com/versions/1.8.38"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://docs.mybb.com/1.8/administration/configuration-file"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/mybb/mybb/commit/d6a96019025de9149014e06b1df252e6122e5630"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/mybb/mybb/security/advisories/GHSA-qfrj-65mv-h75h"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product",
"Release Notes"
],
"url": "https://mybb.com/versions/1.8.38"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-184"
},
{
"lang": "en",
"value": "CWE-918"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2007-04-11 10:19
Modified
2025-04-09 00:30
Severity ?
Summary
member.php in MyBB (aka MyBulletinBoard), when debug mode is available, allows remote authenticated users to change the password of any account by providing the account's registered e-mail address in a debug request for a do_lostpw action, which prints the change password verification code in the debug output.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mybb | mybb | 1.2.5 | |
| mybulletinboard | mybulletinboard | 1.2.5 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "98AFD77B-A046-4AB9-B6F4-FFFF66C63C68",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybulletinboard:mybulletinboard:1.2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "B6FD3E97-2E37-4FE3-83A7-13E489BDFF0C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "member.php in MyBB (aka MyBulletinBoard), when debug mode is available, allows remote authenticated users to change the password of any account by providing the account\u0027s registered e-mail address in a debug request for a do_lostpw action, which prints the change password verification code in the debug output."
},
{
"lang": "es",
"value": "member.php en MyBB (tambi\u00e9n conocido como MyBulletinBoard), cuando el modo de depuraci\u00f3n est\u00e1 disponible, permite a atacantes remotos autenticados cambiar la contrase\u00f1a de cualquier cuenta dando la direcci\u00f3n de correo electr\u00f3nico de cuentas registradas en una petici\u00f3n de depuraci\u00f3n para la acci\u00f3n do_lostpw, lo cual imprime el c\u00f3digo de verificaci\u00f3n de cambio de la contrase\u00f1a en la salida de depuraci\u00f3n."
}
],
"id": "CVE-2007-1964",
"lastModified": "2025-04-09T00:30:58.490",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": true,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2007-04-11T10:19:00.000",
"references": [
{
"source": "cve@mitre.org",
"url": "http://securityreason.com/securityalert/2544"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/464267/100/100/threaded"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/33345"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://securityreason.com/securityalert/2544"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/464267/100/100/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/33345"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2008-07-08 18:41
Modified
2025-04-09 00:30
Severity ?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in MyBB before 1.2.13 allow remote attackers to inject arbitrary web script or HTML via unspecified parameters to (1) portal.php and (2) inc/functions_post.php.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:mybb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "53C7DC96-E461-4181-9555-5DFA116A96DF",
"versionEndIncluding": "1.2.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in MyBB before 1.2.13 allow remote attackers to inject arbitrary web script or HTML via unspecified parameters to (1) portal.php and (2) inc/functions_post.php."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades de secuencias de comandos en sitios cruzados (XSS) en MyBB anterior a 1.2.13, permite a atacantes remotos inyectar secuencias de comandos Web o HTML mediante par\u00e1metros no especificados en (1) portal.php y (2) inc/functions_post.php."
}
],
"id": "CVE-2008-3069",
"lastModified": "2025-04-09T00:30:58.490",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2008-07-08T18:41:00.000",
"references": [
{
"source": "cve@mitre.org",
"url": "http://community.mybboard.net/attachment.php?aid=9272"
},
{
"source": "cve@mitre.org",
"url": "http://community.mybboard.net/showthread.php?tid=31666"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/31013"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://community.mybboard.net/attachment.php?aid=9272"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://community.mybboard.net/showthread.php?tid=31666"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/31013"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-01-31 22:59
Modified
2025-04-20 01:37
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 might allow remote attackers to inject arbitrary web script or HTML via vectors involving Mod control panel logs.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://www.openwall.com/lists/oss-security/2016/11/10/8 | Mailing List, Patch, Third Party Advisory | |
| cve@mitre.org | http://www.openwall.com/lists/oss-security/2016/11/18/1 | Mailing List, Patch, Third Party Advisory | |
| cve@mitre.org | http://www.securityfocus.com/bid/94395 | Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://blog.mybb.com/2016/03/11/mybb-1-8-7-merge-system-1-8-7-release/ | Patch, Third Party Advisory, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2016/11/10/8 | Mailing List, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2016/11/18/1 | Mailing List, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/94395 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://blog.mybb.com/2016/03/11/mybb-1-8-7-merge-system-1-8-7-release/ | Patch, Third Party Advisory, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mybb | merge_system | * | |
| mybb | mybb | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:merge_system:*:*:*:*:*:*:*:*",
"matchCriteriaId": "716986AC-5E6D-4DDD-A553-B88981BDE788",
"versionEndIncluding": "1.8.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2212E819-C064-4963-BCD2-214F09A46902",
"versionEndIncluding": "1.8.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 might allow remote attackers to inject arbitrary web script or HTML via vectors involving Mod control panel logs."
},
{
"lang": "es",
"value": "Vulnerabilidad de XSS en MyBB (tambi\u00e9n conocido como MyBulletinBoard) en versiones anteriores a 1.8.7 y MyBB Merge System en versiones anteriores a 1.8.7 podr\u00edan permitir a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a trav\u00e9s de vectores que implican registros de panel de control Mod."
}
],
"id": "CVE-2016-9407",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-01-31T22:59:01.220",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/10/8"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/18/1"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/94395"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory",
"Vendor Advisory"
],
"url": "https://blog.mybb.com/2016/03/11/mybb-1-8-7-merge-system-1-8-7-release/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/10/8"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/18/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/94395"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory",
"Vendor Advisory"
],
"url": "https://blog.mybb.com/2016/03/11/mybb-1-8-7-merge-system-1-8-7-release/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-01-31 22:59
Modified
2025-04-20 01:37
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in the Admin control panel in MyBB (aka MyBulletinBoard) before 1.8.8 and MyBB Merge System before 1.8.8 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://www.openwall.com/lists/oss-security/2016/11/10/8 | Third Party Advisory | |
| cve@mitre.org | http://www.openwall.com/lists/oss-security/2016/11/18/1 | Mailing List, Third Party Advisory | |
| cve@mitre.org | http://www.securityfocus.com/bid/94396 | ||
| cve@mitre.org | https://blog.mybb.com/2016/10/17/mybb-1-8-8-merge-system-1-8-8-release/ | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2016/11/10/8 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2016/11/18/1 | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/94396 | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://blog.mybb.com/2016/10/17/mybb-1-8-8-merge-system-1-8-8-release/ | Release Notes, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:mybb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "78D16782-41C7-4001-8DD1-C7A09B347733",
"versionEndIncluding": "1.8.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the Admin control panel in MyBB (aka MyBulletinBoard) before 1.8.8 and MyBB Merge System before 1.8.8 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors."
},
{
"lang": "es",
"value": "Vulnerabilidad de XSS en el panel de control de Admin en MyBB (tambi\u00e9n conocido como MyBulletinBoard) en versiones anteriores a 1.8.8 y MyBB Merge System en versiones anteriores a 1.8.8 permite a los atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a trav\u00e9s de vectores no especificados."
}
],
"id": "CVE-2016-9419",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-01-31T22:59:01.673",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/10/8"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/18/1"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/94396"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://blog.mybb.com/2016/10/17/mybb-1-8-8-merge-system-1-8-8-release/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/10/8"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/18/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/94396"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://blog.mybb.com/2016/10/17/mybb-1-8-8-merge-system-1-8-8-release/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-01-31 22:59
Modified
2025-04-20 01:37
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in the Admin control panel in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 might allow remote attackers to inject arbitrary web script or HTML via vectors involving pruning logs.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://www.openwall.com/lists/oss-security/2016/11/10/8 | Mailing List, Patch, Third Party Advisory | |
| cve@mitre.org | http://www.openwall.com/lists/oss-security/2016/11/18/1 | Mailing List, Patch, Third Party Advisory | |
| cve@mitre.org | http://www.securityfocus.com/bid/94395 | Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://blog.mybb.com/2016/03/11/mybb-1-8-7-merge-system-1-8-7-release/ | Patch, Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2016/11/10/8 | Mailing List, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2016/11/18/1 | Mailing List, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/94395 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://blog.mybb.com/2016/03/11/mybb-1-8-7-merge-system-1-8-7-release/ | Patch, Release Notes, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mybb | merge_system | * | |
| mybb | mybb | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:merge_system:*:*:*:*:*:*:*:*",
"matchCriteriaId": "716986AC-5E6D-4DDD-A553-B88981BDE788",
"versionEndIncluding": "1.8.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2212E819-C064-4963-BCD2-214F09A46902",
"versionEndIncluding": "1.8.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the Admin control panel in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 might allow remote attackers to inject arbitrary web script or HTML via vectors involving pruning logs."
},
{
"lang": "es",
"value": "Vulnerabilidad de XSS en el panel de control de Admin en MyBB (aka MyBulletinBoard) en versiones anteriores a 1.8.7 y MyBB Merge System en versiones anteriores a 1.8.7 podr\u00edan permitir a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a trav\u00e9s de vectores que implican registros de poda."
}
],
"id": "CVE-2016-9409",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-01-31T22:59:01.297",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/10/8"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/18/1"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/94395"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Release Notes",
"Vendor Advisory"
],
"url": "https://blog.mybb.com/2016/03/11/mybb-1-8-7-merge-system-1-8-7-release/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/10/8"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/18/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/94395"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Release Notes",
"Vendor Advisory"
],
"url": "https://blog.mybb.com/2016/03/11/mybb-1-8-7-merge-system-1-8-7-release/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-11-10 23:29
Modified
2025-04-20 01:37
Severity ?
Summary
The installer in MyBB before 1.8.13 allows remote attackers to execute arbitrary code by writing to the configuration file.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://blog.mybb.com/2017/11/07/mybb-1-8-13-released-security-maintenance-release/ | Release Notes, Vendor Advisory | |
| cve@mitre.org | https://www.exploit-db.com/exploits/43136/ | Exploit, Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://blog.mybb.com/2017/11/07/mybb-1-8-13-released-security-maintenance-release/ | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.exploit-db.com/exploits/43136/ | Exploit, Third Party Advisory, VDB Entry |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:mybb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "52EEFACF-D046-478B-801D-CC39CAAD6555",
"versionEndIncluding": "1.8.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The installer in MyBB before 1.8.13 allows remote attackers to execute arbitrary code by writing to the configuration file."
},
{
"lang": "es",
"value": "El instalador en MyBB en versiones anteriores a la 1.8.13 permite que atacantes remotos ejecuten c\u00f3digo arbitrario escribiendo en el archivo de configuraci\u00f3n."
}
],
"id": "CVE-2017-16780",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-11-10T23:29:00.243",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://blog.mybb.com/2017/11/07/mybb-1-8-13-released-security-maintenance-release/"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.exploit-db.com/exploits/43136/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://blog.mybb.com/2017/11/07/mybb-1-8-13-released-security-maintenance-release/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.exploit-db.com/exploits/43136/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-04-17 22:15
Modified
2025-06-27 15:45
Severity ?
Summary
An issue in MyBB 1.8.38 allows a remote attacker to obtain sensitive information via the Mail function. NOTE: the Supplier disputes this because of the allowed actions of Board administrators and because of SSRF mitigation.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:mybb:1.8.38:*:*:*:*:*:*:*",
"matchCriteriaId": "07E2BC41-5325-4F85-9235-61FF5CA894D1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [
{
"sourceIdentifier": "cve@mitre.org",
"tags": [
"disputed"
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue in MyBB 1.8.38 allows a remote attacker to obtain sensitive information via the Mail function. NOTE: the Supplier disputes this because of the allowed actions of Board administrators and because of SSRF mitigation."
},
{
"lang": "es",
"value": "Un problema en MyBB 1.8.38 permite que un atacante remoto obtenga informaci\u00f3n confidencial a trav\u00e9s de la funci\u00f3n Correo."
}
],
"id": "CVE-2025-29459",
"lastModified": "2025-06-27T15:45:56.820",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 4.7,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2025-04-17T22:15:15.387",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "https://docs.mybb.com/1.8/administration/security/protection/#limit-access-to-private-hosts-and-ip-addresses"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.yuque.com/morysummer/vx41bz/ggnmg5nnu635kvrc"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-918"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2015-03-29 21:59
Modified
2025-04-12 10:46
Severity ?
Summary
Unspecified vulnerability in MyBB (aka MyBulletinBoard) before 1.8.4 has unknown attack vectors related to "Group join request notifications sent to wrong group leaders."
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:mybb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AEC41207-93E4-416F-9670-6AC626CF0700",
"versionEndIncluding": "1.8.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Unspecified vulnerability in MyBB (aka MyBulletinBoard) before 1.8.4 has unknown attack vectors related to \"Group join request notifications sent to wrong group leaders.\""
},
{
"lang": "es",
"value": "Vulnerabilidad no especificada en MyBB (tambi\u00e9n conocido como MyBulletinBoard) anterior a 1.8.4 tiene vectores de ataque desconocidos relacionados con \u0027notificaciones de solicitudes de unirse a un grupo enviadas al lideres de grupo equivocados.\u0027"
}
],
"id": "CVE-2015-2786",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": true,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2015-03-29T21:59:03.643",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://blog.mybb.com/2015/02/15/mybb-1-8-4-released-feature-update-security-maintenance-release/"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/73394"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://blog.mybb.com/2015/02/15/mybb-1-8-4-released-feature-update-security-maintenance-release/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/73394"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-01-31 22:59
Modified
2025-04-20 01:37
Severity ?
Summary
MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 might allow remote attackers to obtain sensitive database information via vectors involving templates.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://www.openwall.com/lists/oss-security/2016/11/10/8 | Mailing List, Patch, Third Party Advisory | |
| cve@mitre.org | http://www.openwall.com/lists/oss-security/2016/11/18/1 | Mailing List, Patch, Third Party Advisory | |
| cve@mitre.org | http://www.securityfocus.com/bid/94395 | Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://blog.mybb.com/2016/03/11/mybb-1-8-7-merge-system-1-8-7-release/ | Patch, Third Party Advisory, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2016/11/10/8 | Mailing List, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2016/11/18/1 | Mailing List, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/94395 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://blog.mybb.com/2016/03/11/mybb-1-8-7-merge-system-1-8-7-release/ | Patch, Third Party Advisory, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mybb | merge_system | * | |
| mybb | mybb | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:merge_system:*:*:*:*:*:*:*:*",
"matchCriteriaId": "716986AC-5E6D-4DDD-A553-B88981BDE788",
"versionEndIncluding": "1.8.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2212E819-C064-4963-BCD2-214F09A46902",
"versionEndIncluding": "1.8.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 might allow remote attackers to obtain sensitive database information via vectors involving templates."
},
{
"lang": "es",
"value": "MyBB (tambi\u00e9n conocido como MyBulletinBoard) en versiones anteriores a 1.8.7 y MyBB Merge System en versiones anteriores a 1.8.7 pueden permitir a atacantes remotos obtener informaci\u00f3n sensible de la base de datos a trav\u00e9s de vectores relacionados con plantillas."
}
],
"id": "CVE-2016-9410",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-01-31T22:59:01.347",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/10/8"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/18/1"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/94395"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory",
"Vendor Advisory"
],
"url": "https://blog.mybb.com/2016/03/11/mybb-1-8-7-merge-system-1-8-7-release/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/10/8"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/18/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/94395"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory",
"Vendor Advisory"
],
"url": "https://blog.mybb.com/2016/03/11/mybb-1-8-7-merge-system-1-8-7-release/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2008-11-04 21:00
Modified
2025-04-09 00:30
Severity ?
Summary
MyBB (aka MyBulletinBoard) 1.4.2 does not properly handle an uploaded file with a nonstandard file type that contains HTML sequences, which allows remote attackers to cause that file to be processed as HTML by Internet Explorer's content inspection, aka "Incomplete protection against MIME-sniffing." NOTE: this could be leveraged for XSS and other attacks.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "9503D6C2-DCBC-4720-BE29-34913950407E",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "MyBB (aka MyBulletinBoard) 1.4.2 does not properly handle an uploaded file with a nonstandard file type that contains HTML sequences, which allows remote attackers to cause that file to be processed as HTML by Internet Explorer\u0027s content inspection, aka \"Incomplete protection against MIME-sniffing.\" NOTE: this could be leveraged for XSS and other attacks."
},
{
"lang": "es",
"value": "MyBB (tambi\u00e9n conocido como MyBulletinBoard) v1.4.2 no maneja de forma adecuada un fichero que se haya subido y que sea de un tipo no est\u00e1ndar que contenga secuencias HTML; esto permite a atacantes remotos provocar que el fichero sea procesado como un HTML por las inspecciones de contenidos de Internet Explorer. Tambi\u00e9n se conoce como \"Protecci\u00f3n incompleta contra MIME-sniffing\". NOTA: Esto podr\u00eda ser utilizado para XSS y otro tipo de ataques."
}
],
"id": "CVE-2008-4930",
"lastModified": "2025-04-09T00:30:58.490",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2008-11-04T21:00:05.987",
"references": [
{
"source": "cve@mitre.org",
"url": "http://archives.neohapsis.com/archives/bugtraq/2008-10/0203.html"
},
{
"source": "cve@mitre.org",
"url": "http://archives.neohapsis.com/archives/fulldisclosure/2008-10/0472.html"
},
{
"source": "cve@mitre.org",
"url": "http://www.openwall.com/lists/oss-security/2008/11/01/2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://archives.neohapsis.com/archives/bugtraq/2008-10/0203.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://archives.neohapsis.com/archives/fulldisclosure/2008-10/0472.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2008/11/01/2"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2010-12-30 21:00
Modified
2025-04-11 00:51
Severity ?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in MyBB (aka MyBulletinBoard) 1.4.14, and 1.6.x before 1.6.1, allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) editpost.php, (2) member.php, and (3) newreply.php.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.14:*:*:*:*:*:*:*",
"matchCriteriaId": "BCDC1181-A2B7-4D1B-B2BF-DAC9E58E88C3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E5B50C36-C3D7-48FD-805B-4A94E727C93F",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in MyBB (aka MyBulletinBoard) 1.4.14, and 1.6.x before 1.6.1, allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) editpost.php, (2) member.php, and (3) newreply.php."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades de secuencias de comandos en sitios cruzados (XSS) en MyBB (MyBulletinBoard) 1.4.14, y 1.6.x anteriores a la 1.6.1. Permiten a atacantes remotos inyectar codigo de script web o c\u00f3digo HTML de su elecci\u00f3n a trav\u00e9s de vectores relacionados con (1) editpost.php, (2) member.php y (3) newreply.php."
}
],
"id": "CVE-2010-4522",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2010-12-30T21:00:02.220",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://blog.mybb.com/2010/12/15/mybb-1-6-1-release-1-4-14-update/"
},
{
"source": "secalert@redhat.com",
"url": "http://openwall.com/lists/oss-security/2010/12/20/1"
},
{
"source": "secalert@redhat.com",
"url": "http://openwall.com/lists/oss-security/2010/12/22/2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://blog.mybb.com/2010/12/15/mybb-1-6-1-release-1-4-14-update/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://openwall.com/lists/oss-security/2010/12/20/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://openwall.com/lists/oss-security/2010/12/22/2"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2015-03-18 14:59
Modified
2025-04-12 10:46
Severity ?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in the administrative backend in MyBB (aka MyBulletinBoard) before 1.8.4 allow remote authenticated users to inject arbitrary web script or HTML via the (1) MIME-type field in an add action in the config-attachment_types module to admin/index.php; (2) title or (3) short description field in an add action in the (a) config-mycode or (b) user-groups module to admin/index.php; (4) title field in an add action in the (c) forum-management or (d) tool-tasks module to admin/index.php; (5) name field in an add_set action in the style-templates module to admin/index.php; (6) title field in an add_template_group action in the style-templates module to admin/index.php; (7) name field in an add action in the config-post_icons module to admin/index.php; (8) "title to assign" field in an add action in the user-titles module to admin/index.php; or (9) username field in the config-banning module to admin/index.php.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:mybb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AEC41207-93E4-416F-9670-6AC626CF0700",
"versionEndIncluding": "1.8.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in the administrative backend in MyBB (aka MyBulletinBoard) before 1.8.4 allow remote authenticated users to inject arbitrary web script or HTML via the (1) MIME-type field in an add action in the config-attachment_types module to admin/index.php; (2) title or (3) short description field in an add action in the (a) config-mycode or (b) user-groups module to admin/index.php; (4) title field in an add action in the (c) forum-management or (d) tool-tasks module to admin/index.php; (5) name field in an add_set action in the style-templates module to admin/index.php; (6) title field in an add_template_group action in the style-templates module to admin/index.php; (7) name field in an add action in the config-post_icons module to admin/index.php; (8) \"title to assign\" field in an add action in the user-titles module to admin/index.php; or (9) username field in the config-banning module to admin/index.php."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades de XSS en el backend administrativo en MyBB (tambi\u00e9n conocido como MyBulletinBoard) anterior a 1.8.4 permiten a usuarios remotos autenticados inyectar secuencias de comandos web arbitrarios o HTML a trav\u00e9s (1) del campo MIME-type en una acci\u00f3n de a\u00f1adir en el modulo config-attachment_types en admin/index.php; (2) del campo title o (3) short description en una acci\u00f3n de a\u00f1adir en el m\u00f3dulo (a) config-mycode o (b) user-groups en admin/index.php; (4) del campo title en una acci\u00f3n de a\u00f1adir en el m\u00f3dulo (c) forum-management o (d) tool-tasks en admin/index.php; (5) del campo name en una acci\u00f3n de a\u00f1adir en el m\u00f3dulo style-templates en admin/index.php; (6) del campo title en una acci\u00f3n add_template_group en el m\u00f3dulo style-templates en admin/index.php; (7) del campo name en una acci\u00f3n de a\u00f1adir en el m\u00f3dulo config-post_icons en admin/index.php; (8) del campo \u0027title to assign\u0027 en una acci\u00f3n de a\u00f1adir en el m\u00f3dulo user-titles en admin/index.php; o (9) del campo username en el m\u00f3dulo config-banning en admin/index.php."
}
],
"id": "CVE-2015-2149",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2015-03-18T14:59:00.077",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://blog.mybb.com/2015/02/15/mybb-1-8-4-released-feature-update-security-maintenance-release/"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://seclists.org/fulldisclosure/2015/Feb/80"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://seclists.org/oss-sec/2015/q1/629"
},
{
"source": "cve@mitre.org",
"url": "http://seclists.org/oss-sec/2015/q1/705"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://sroesemann.blogspot.de/2015/02/sroeadv-2015-15.html"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/72738"
},
{
"source": "cve@mitre.org",
"url": "http://www.securitytracker.com/id/1031953"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://blog.mybb.com/2015/02/15/mybb-1-8-4-released-feature-update-security-maintenance-release/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://seclists.org/fulldisclosure/2015/Feb/80"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://seclists.org/oss-sec/2015/q1/629"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://seclists.org/oss-sec/2015/q1/705"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://sroesemann.blogspot.de/2015/02/sroeadv-2015-15.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/72738"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securitytracker.com/id/1031953"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-06-02 16:15
Modified
2025-07-02 15:18
Severity ?
Summary
MyBB is free and open source forum software. Prior to version 1.8.39, the upgrade component does not validate user input properly, which allows attackers to perform local file inclusion (LFI) via a specially crafted parameter value. In order to exploit the vulnerability, the installer must be unlocked (no `install/lock` file present) and the upgrade script must be accessible (by re-installing the forum via access to `install/index.php`; when the forum has not yet been installed; or the attacker is authenticated as a forum administrator). MyBB 1.8.39 resolves this issue.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:mybb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C6445406-D542-43F3-97A5-BB4BDC20E2FA",
"versionEndExcluding": "1.8.39",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "MyBB is free and open source forum software. Prior to version 1.8.39, the upgrade component does not validate user input properly, which allows attackers to perform local file inclusion (LFI) via a specially crafted parameter value. In order to exploit the vulnerability, the installer must be unlocked (no `install/lock` file present) and the upgrade script must be accessible (by re-installing the forum via access to `install/index.php`; when the forum has not yet been installed; or the attacker is authenticated as a forum administrator). MyBB 1.8.39 resolves this issue."
},
{
"lang": "es",
"value": "MyBB es un software de foro gratuito y de c\u00f3digo abierto. Antes de la versi\u00f3n 1.8.39, el componente de actualizaci\u00f3n no validaba correctamente la entrada del usuario, lo que permit\u00eda a los atacantes realizar la inclusi\u00f3n local de archivos (LFI) mediante un valor de par\u00e1metro especialmente manipulado. Para explotar esta vulnerabilidad, el instalador debe estar desbloqueado (sin el archivo `install/lock` presente) y el script de actualizaci\u00f3n debe ser accesible (reinstalando el foro mediante el acceso a `install/index.php`; cuando el foro a\u00fan no se haya instalado; o el atacante est\u00e9 autenticado como administrador del foro). MyBB 1.8.39 resuelve este problema."
}
],
"id": "CVE-2025-48940",
"lastModified": "2025-07-02T15:18:47.520",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2025-06-02T16:15:30.063",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/mybb/mybb/commit/6e6cfbd524d9101b51e1278ecf520479b64b0f00"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/mybb/mybb/security/advisories/GHSA-q4jv-xwjx-37cp"
},
{
"source": "security-advisories@github.com",
"tags": [
"Product",
"Release Notes"
],
"url": "https://mybb.com/versions/1.8.39"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2018-08-28 19:29
Modified
2024-11-21 03:51
Severity ?
Summary
An issue was discovered in inc/class_feedgeneration.php in MyBB 1.8.17. On the forum RSS Syndication page, one can generate a URL such as http://localhost/syndication.php?fid=&type=atom1.0&limit=15. The thread titles (within title elements of the generated XML documents) aren't sanitized, leading to XSS.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://blog.mybb.com/2018/08/22/mybb-1-8-18-released-security-maintenance-release/ | Vendor Advisory | |
| cve@mitre.org | https://www.exploit-db.com/exploits/45393/ | Exploit, Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://blog.mybb.com/2018/08/22/mybb-1-8-18-released-security-maintenance-release/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.exploit-db.com/exploits/45393/ | Exploit, Third Party Advisory, VDB Entry |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:mybb:1.8.17:*:*:*:*:*:*:*",
"matchCriteriaId": "2E2D331B-248E-4832-9D75-3B3328E8AA29",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in inc/class_feedgeneration.php in MyBB 1.8.17. On the forum RSS Syndication page, one can generate a URL such as http://localhost/syndication.php?fid=\u0026type=atom1.0\u0026limit=15. The thread titles (within title elements of the generated XML documents) aren\u0027t sanitized, leading to XSS."
},
{
"lang": "es",
"value": "Se ha descubierto un problema en inc/class_feedgeneration.php en MyBB 1.8.17. En la p\u00e1gina de foro RSS Syndication, se puede generar una URL como http://localhost/syndication.php?fid=type=atom1.0limit=15. Los t\u00edtulos de hilos (en los elementos de t\u00edtulo de los documentos XML generados) no se sanean, lo que conduce a Cross-Site Scripting (XSS)."
}
],
"id": "CVE-2018-15596",
"lastModified": "2024-11-21T03:51:08.607",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-08-28T19:29:16.553",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://blog.mybb.com/2018/08/22/mybb-1-8-18-released-security-maintenance-release/"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.exploit-db.com/exploits/45393/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://blog.mybb.com/2018/08/22/mybb-1-8-18-released-security-maintenance-release/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.exploit-db.com/exploits/45393/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2008-09-11 01:13
Modified
2025-04-09 00:30
Severity ?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in MyBB (aka MyBulletinBoard) before 1.4.1 allow remote attackers to inject arbitrary web script or HTML via (1) a certain referrer field in usercp2.php, (2) a certain location field in inc/functions_online.php, and certain (3) tsubject and (4) psubject fields in moderation.php.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mybb | mybb | * | |
| mybb | mybb | 1.00 | |
| mybb | mybb | 1.01 | |
| mybb | mybb | 1.1.0 | |
| mybb | mybb | 1.1.1 | |
| mybb | mybb | 1.1.2 | |
| mybb | mybb | 1.1.3 | |
| mybb | mybb | 1.1.4 | |
| mybb | mybb | 1.1.5 | |
| mybb | mybb | 1.1.6 | |
| mybb | mybb | 1.1.7 | |
| mybb | mybb | 1.1.8 | |
| mybb | mybb | 1.02 | |
| mybb | mybb | 1.2 | |
| mybb | mybb | 1.2.0 | |
| mybb | mybb | 1.2.1 | |
| mybb | mybb | 1.2.2 | |
| mybb | mybb | 1.2.3 | |
| mybb | mybb | 1.2.4 | |
| mybb | mybb | 1.2.5 | |
| mybb | mybb | 1.2.6 | |
| mybb | mybb | 1.2.7 | |
| mybb | mybb | 1.2.8 | |
| mybb | mybb | 1.2.9 | |
| mybb | mybb | 1.2.10 | |
| mybb | mybb | 1.2.11 | |
| mybb | mybb | 1.2.12 | |
| mybb | mybb | 1.2.13 | |
| mybb | mybb | 1.03 | |
| mybb | mybb | 1.04 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:mybb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BE928783-BD14-4BCD-BC6E-13E406431705",
"versionEndIncluding": "1.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.00:*:*:*:*:*:*:*",
"matchCriteriaId": "BD61D970-9363-4A75-A8DB-D0EBA2CF0D53",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.01:*:*:*:*:*:*:*",
"matchCriteriaId": "990E206E-5E2C-4A68-9FDF-CD47F7524054",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "CF143B59-5C78-4BF6-9368-5BCF427B4753",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "B16F6F07-F5A9-47BF-88ED-25F068B68CF6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "A8A46A48-1361-4DD3-B97D-4C4FC776D68A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "337D89AE-1B7A-4101-B1F7-DFEDF2369385",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "BE08AF25-EDB1-4DA1-B431-F0692858AAAA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "BF24E7BA-3144-4DBA-9613-A44FBE0822F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.6:*:*:*:*:*:*:*",
"matchCriteriaId": "029430A5-85BD-4258-B58D-F3DCBC625E5B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.7:*:*:*:*:*:*:*",
"matchCriteriaId": "4183DB7F-FAB3-4D90-AD87-31CA4150CFDD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.8:*:*:*:*:*:*:*",
"matchCriteriaId": "3E2B90B8-DC02-4C79-BD69-DEF79945C418",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.02:*:*:*:*:*:*:*",
"matchCriteriaId": "C5C52215-D236-4D1A-9E30-14B9676FB68A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "4E080342-93CD-4E74-AE60-5858738CE7F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B48D2EDF-86C2-475C-9476-E5A2D586CA0E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "B6725373-C229-4B57-BB1E-AF178E19DEB0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "36E4C84A-21D5-4C9A-85F8-45C9657CE6F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "C7E55085-E3E3-4BB8-A680-19A28D7E88F4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "AB01A9AA-AE70-46DF-815A-05D1101EE706",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "98AFD77B-A046-4AB9-B6F4-FFFF66C63C68",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.6:*:*:*:*:*:*:*",
"matchCriteriaId": "AA00D38E-AAF6-4F66-9203-5C074FC61F30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.7:*:*:*:*:*:*:*",
"matchCriteriaId": "137A8CED-BE82-462F-B83C-15F535961E74",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.8:*:*:*:*:*:*:*",
"matchCriteriaId": "D179FDB6-9B1D-438C-B512-9A5C4F869A4C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.9:*:*:*:*:*:*:*",
"matchCriteriaId": "B3E72A13-6B4A-4C7F-B8D9-A2D35E074B67",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.10:*:*:*:*:*:*:*",
"matchCriteriaId": "3A2D344F-4671-4194-A553-A5773B5DF3B1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.11:*:*:*:*:*:*:*",
"matchCriteriaId": "245760C8-DC10-47F1-843A-461AE2F3DF61",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.12:*:*:*:*:*:*:*",
"matchCriteriaId": "A055E6BF-3CAC-4C74-8E37-A89E3E0F8559",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.13:*:*:*:*:*:*:*",
"matchCriteriaId": "1121A071-3709-4B2B-ADF4-EDC560F73E0A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.03:*:*:*:*:*:*:*",
"matchCriteriaId": "F6ABDEE8-D463-47CA-998D-33472F3382F3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.04:*:*:*:*:*:*:*",
"matchCriteriaId": "DE44965F-F968-4CD2-9F21-1E1A92F5F7F2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in MyBB (aka MyBulletinBoard) before 1.4.1 allow remote attackers to inject arbitrary web script or HTML via (1) a certain referrer field in usercp2.php, (2) a certain location field in inc/functions_online.php, and certain (3) tsubject and (4) psubject fields in moderation.php."
},
{
"lang": "es",
"value": "Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en MyBB (alias MyBulletinBoard) en versiones anteriores a 1.4.1 que permite a los atacantes remotos inyectar una secuencia arbitraria de comandos web o HTML a trav\u00e9s de (1) un cierto campo origen en in usercp2.php, (2) un cierto campo origen en inc/functions_online.php, y ciertos campos (3) tsubject y (4) psubject en moderation.php"
}
],
"evaluatorSolution": "Patch information - http://community.mybboard.net/showthread.php?tid=36022\r\n",
"id": "CVE-2008-3966",
"lastModified": "2025-04-09T00:30:58.490",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2008-09-11T01:13:47.680",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://community.mybboard.net/attachment.php?aid=10579"
},
{
"source": "cve@mitre.org",
"url": "http://community.mybboard.net/showthread.php?tid=36022"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/31760"
},
{
"source": "cve@mitre.org",
"url": "http://www.openwall.com/lists/oss-security/2008/09/09/1"
},
{
"source": "cve@mitre.org",
"url": "http://www.openwall.com/lists/oss-security/2008/09/09/9"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/31104"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://community.mybboard.net/attachment.php?aid=10579"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://community.mybboard.net/showthread.php?tid=36022"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/31760"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2008/09/09/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2008/09/09/9"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/31104"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2012-08-30 22:55
Modified
2025-04-11 00:51
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in MyBB before 1.6.5 allows remote attackers to inject arbitrary web script or HTML via vectors related to "usernames via AJAX."
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mybb | mybb | * | |
| mybb | mybb | 1.1.0 | |
| mybb | mybb | 1.1.1 | |
| mybb | mybb | 1.1.2 | |
| mybb | mybb | 1.1.3 | |
| mybb | mybb | 1.1.4 | |
| mybb | mybb | 1.1.5 | |
| mybb | mybb | 1.1.6 | |
| mybb | mybb | 1.1.7 | |
| mybb | mybb | 1.1.8 | |
| mybb | mybb | 1.2 | |
| mybb | mybb | 1.2.0 | |
| mybb | mybb | 1.2.1 | |
| mybb | mybb | 1.2.2 | |
| mybb | mybb | 1.2.3 | |
| mybb | mybb | 1.2.4 | |
| mybb | mybb | 1.2.5 | |
| mybb | mybb | 1.2.6 | |
| mybb | mybb | 1.2.7 | |
| mybb | mybb | 1.2.8 | |
| mybb | mybb | 1.2.9 | |
| mybb | mybb | 1.2.10 | |
| mybb | mybb | 1.2.11 | |
| mybb | mybb | 1.2.12 | |
| mybb | mybb | 1.2.13 | |
| mybb | mybb | 1.2.14 | |
| mybb | mybb | 1.3 | |
| mybb | mybb | 1.4.0 | |
| mybb | mybb | 1.4.1 | |
| mybb | mybb | 1.4.2 | |
| mybb | mybb | 1.4.3 | |
| mybb | mybb | 1.4.4 | |
| mybb | mybb | 1.4.5 | |
| mybb | mybb | 1.4.6 | |
| mybb | mybb | 1.4.7 | |
| mybb | mybb | 1.4.8 | |
| mybb | mybb | 1.4.9 | |
| mybb | mybb | 1.4.10 | |
| mybb | mybb | 1.4.11 | |
| mybb | mybb | 1.4.12 | |
| mybb | mybb | 1.4.13 | |
| mybb | mybb | 1.4.14 | |
| mybb | mybb | 1.4.15 | |
| mybb | mybb | 1.4.16 | |
| mybb | mybb | 1.5.1 | |
| mybb | mybb | 1.5.2 | |
| mybb | mybb | 1.6.0 | |
| mybb | mybb | 1.6.1 | |
| mybb | mybb | 1.6.2 | |
| mybb | mybb | 1.6.3 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:mybb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6EF48E06-2401-400C-B4DB-F26505D0638C",
"versionEndIncluding": "1.6.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "CF143B59-5C78-4BF6-9368-5BCF427B4753",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "B16F6F07-F5A9-47BF-88ED-25F068B68CF6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "A8A46A48-1361-4DD3-B97D-4C4FC776D68A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "337D89AE-1B7A-4101-B1F7-DFEDF2369385",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "BE08AF25-EDB1-4DA1-B431-F0692858AAAA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "BF24E7BA-3144-4DBA-9613-A44FBE0822F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.6:*:*:*:*:*:*:*",
"matchCriteriaId": "029430A5-85BD-4258-B58D-F3DCBC625E5B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.7:*:*:*:*:*:*:*",
"matchCriteriaId": "4183DB7F-FAB3-4D90-AD87-31CA4150CFDD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.1.8:*:*:*:*:*:*:*",
"matchCriteriaId": "3E2B90B8-DC02-4C79-BD69-DEF79945C418",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "4E080342-93CD-4E74-AE60-5858738CE7F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B48D2EDF-86C2-475C-9476-E5A2D586CA0E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "B6725373-C229-4B57-BB1E-AF178E19DEB0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "36E4C84A-21D5-4C9A-85F8-45C9657CE6F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "C7E55085-E3E3-4BB8-A680-19A28D7E88F4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "AB01A9AA-AE70-46DF-815A-05D1101EE706",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "98AFD77B-A046-4AB9-B6F4-FFFF66C63C68",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.6:*:*:*:*:*:*:*",
"matchCriteriaId": "AA00D38E-AAF6-4F66-9203-5C074FC61F30",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.7:*:*:*:*:*:*:*",
"matchCriteriaId": "137A8CED-BE82-462F-B83C-15F535961E74",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.8:*:*:*:*:*:*:*",
"matchCriteriaId": "D179FDB6-9B1D-438C-B512-9A5C4F869A4C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.9:*:*:*:*:*:*:*",
"matchCriteriaId": "B3E72A13-6B4A-4C7F-B8D9-A2D35E074B67",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.10:*:*:*:*:*:*:*",
"matchCriteriaId": "3A2D344F-4671-4194-A553-A5773B5DF3B1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.11:*:*:*:*:*:*:*",
"matchCriteriaId": "245760C8-DC10-47F1-843A-461AE2F3DF61",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.12:*:*:*:*:*:*:*",
"matchCriteriaId": "A055E6BF-3CAC-4C74-8E37-A89E3E0F8559",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.13:*:*:*:*:*:*:*",
"matchCriteriaId": "1121A071-3709-4B2B-ADF4-EDC560F73E0A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.2.14:*:*:*:*:*:*:*",
"matchCriteriaId": "71FD2842-7E00-440F-8A93-9D3F45A004DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.3:pre-1.0:*:*:*:*:*:*",
"matchCriteriaId": "16C45BFE-A083-4DC8-A2E5-9BCE543F5AE4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "3FC8864E-161F-408E-93D6-693A9238C494",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "4C5965DE-D9B6-4074-B14B-ABCAAAAB872B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "9503D6C2-DCBC-4720-BE29-34913950407E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.3:*:*:*:*:*:*:*",
"matchCriteriaId": "0F6FC2B1-45DF-439E-8BAE-A15A08E7D9F7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.4:*:*:*:*:*:*:*",
"matchCriteriaId": "853E94FE-A56F-44B0-87FE-DE5927B7A547",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.5:*:*:*:*:*:*:*",
"matchCriteriaId": "49C7F758-9E38-4870-85C3-11E350F96641",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.6:*:*:*:*:*:*:*",
"matchCriteriaId": "B46B7E13-51F8-4950-BBB4-A03B8E5B4750",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.7:*:*:*:*:*:*:*",
"matchCriteriaId": "58C9C804-6901-412C-B178-183417BD5C04",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.8:*:*:*:*:*:*:*",
"matchCriteriaId": "A00F1254-67DE-436D-AB83-1C55639BDBD2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.9:*:*:*:*:*:*:*",
"matchCriteriaId": "AC2FDC2B-2CB4-433F-9290-3A6BE0A929B5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.10:*:*:*:*:*:*:*",
"matchCriteriaId": "1FF9452B-CF4B-45F0-8487-23D9CCBB1A4A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.11:*:*:*:*:*:*:*",
"matchCriteriaId": "2021275B-D61A-4309-8876-5354E115CB29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.12:*:*:*:*:*:*:*",
"matchCriteriaId": "7925DEA1-8062-45C9-94E7-19D8FACEAFCD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.13:*:*:*:*:*:*:*",
"matchCriteriaId": "D35E537F-0F49-40AB-9E97-7898D91353D1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.14:*:*:*:*:*:*:*",
"matchCriteriaId": "BCDC1181-A2B7-4D1B-B2BF-DAC9E58E88C3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.15:*:*:*:*:*:*:*",
"matchCriteriaId": "57C37D10-B945-4674-A846-BCEC573FF93C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.4.16:*:*:*:*:*:*:*",
"matchCriteriaId": "4FD245B9-1381-4A1B-AF47-F28349FA6F52",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "2AFD7848-56E4-4608-82E7-CFF46A8809AC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "CC489F94-3545-4E1A-AE9E-B88EB1A7D516",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E5B50C36-C3D7-48FD-805B-4A94E727C93F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.6.1:*:*:*:*:*:*:*",
"matchCriteriaId": "FBEB75D4-FAA4-4A5B-AA0A-57EE8EE88E61",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.6.2:*:*:*:*:*:*:*",
"matchCriteriaId": "00E51ABC-9F77-4028-BE47-D5BFD4FEC749",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mybb:mybb:1.6.3:*:*:*:*:*:*:*",
"matchCriteriaId": "E0BD20D9-0DFC-451F-9C71-38C6D0236CF2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in MyBB before 1.6.5 allows remote attackers to inject arbitrary web script or HTML via vectors related to \"usernames via AJAX.\""
},
{
"lang": "es",
"value": "Vulnerabilidad de ejecuci\u00f3n de comandos en sitios cruzados (XSS) en MyBB anterior a v1.6.5 permite a atacantes remotos inyectar c\u00f3digo web o HTML arbitrario a trav\u00e9s de vectores relacionados con nombres de usuarios a trav\u00e9s de AJAX."
}
],
"id": "CVE-2011-5132",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2012-08-30T22:55:04.187",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://blog.mybb.com/2011/11/25/mybb-1-6-5-released-feature-update-security-maintenance-release/"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/46951"
},
{
"source": "cve@mitre.org",
"url": "http://www.osvdb.org/77326"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/50816"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/71461"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://blog.mybb.com/2011/11/25/mybb-1-6-5-released-feature-update-security-maintenance-release/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/46951"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.osvdb.org/77326"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/50816"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/71461"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-03-15 18:15
Modified
2024-11-21 05:58
Severity ?
Summary
SQL Injection vulnerability in MyBB before 1.8.26 via User Groups. (issue 3 of 3).
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/mybb/mybb/security/advisories/GHSA-3p9w-2q65-r6g2 | Patch, Release Notes, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/mybb/mybb/security/advisories/GHSA-3p9w-2q65-r6g2 | Patch, Release Notes, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:mybb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E92578FF-AAA5-4F8F-8D78-0662DB9BB02C",
"versionEndExcluding": "1.8.26",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SQL Injection vulnerability in MyBB before 1.8.26 via User Groups. (issue 3 of 3)."
},
{
"lang": "es",
"value": "Una vulnerabilidad de inyecci\u00f3n SQL en MyBB versiones anteriores a 1.8.26 mediante User Groups.\u0026#xa0;(n\u00famero 3 de 3)"
}
],
"id": "CVE-2021-27948",
"lastModified": "2024-11-21T05:58:53.690",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-03-15T18:15:18.893",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/mybb/mybb/security/advisories/GHSA-3p9w-2q65-r6g2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/mybb/mybb/security/advisories/GHSA-3p9w-2q65-r6g2"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-03-15 18:15
Modified
2024-11-21 05:58
Severity ?
Summary
Cross-site Scripting vulnerability in MyBB before 1.8.26 via Custom moderator tools.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/mybb/mybb/security/advisories/GHSA-cmmr-39v8-8rx2 | Patch, Release Notes, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/mybb/mybb/security/advisories/GHSA-cmmr-39v8-8rx2 | Patch, Release Notes, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:mybb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E92578FF-AAA5-4F8F-8D78-0662DB9BB02C",
"versionEndExcluding": "1.8.26",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site Scripting vulnerability in MyBB before 1.8.26 via Custom moderator tools."
},
{
"lang": "es",
"value": "Una vulnerabilidad de tipo Cross-site Scripting en MyBB versiones anteriores a 1.8.26, por medio de las herramientas de moderaci\u00f3n Custom"
}
],
"id": "CVE-2021-27949",
"lastModified": "2024-11-21T05:58:53.907",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-03-15T18:15:18.957",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/mybb/mybb/security/advisories/GHSA-cmmr-39v8-8rx2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/mybb/mybb/security/advisories/GHSA-cmmr-39v8-8rx2"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-03-15 18:15
Modified
2024-11-21 05:58
Severity ?
Summary
SQL Injection vulnerability in MyBB before 1.8.26 via poll vote count. (issue 1 of 3).
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://packetstormsecurity.com/files/161918/MyBB-1.8.25-SQL-Injection.html | Exploit, Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://github.com/mybb/mybb/security/advisories/GHSA-23m9-w75q-ph4p | Patch, Release Notes, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://packetstormsecurity.com/files/161918/MyBB-1.8.25-SQL-Injection.html | Exploit, Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/mybb/mybb/security/advisories/GHSA-23m9-w75q-ph4p | Patch, Release Notes, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:mybb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E92578FF-AAA5-4F8F-8D78-0662DB9BB02C",
"versionEndExcluding": "1.8.26",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SQL Injection vulnerability in MyBB before 1.8.26 via poll vote count. (issue 1 of 3)."
},
{
"lang": "es",
"value": "Una vulnerabilidad de inyecci\u00f3n SQL en MyBB, versiones anteriores a 1.8.26, mediante el recuento de votos de la encuesta.\u0026#xa0;(n\u00famero 1 de 3)"
}
],
"id": "CVE-2021-27946",
"lastModified": "2024-11-21T05:58:53.293",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-03-15T18:15:18.767",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/161918/MyBB-1.8.25-SQL-Injection.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/mybb/mybb/security/advisories/GHSA-23m9-w75q-ph4p"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/161918/MyBB-1.8.25-SQL-Injection.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/mybb/mybb/security/advisories/GHSA-23m9-w75q-ph4p"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2008-02-15 01:00
Modified
2025-04-09 00:30
Severity ?
Summary
Multiple cross-site request forgery (CSRF) vulnerabilities in MyBB 1.2.11 and earlier allow remote attackers to (1) hijack the authentication of moderators or administrators for requests that delete threads via a do_multideletethreads action to moderation.php and (2) hijack the authentication of arbitrary users for requests that delete private messages (PM) via a delete action to private.php.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:mybb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "584748F9-2F9A-4FC8-8C4B-0C30E54F6FED",
"versionEndIncluding": "1.2.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site request forgery (CSRF) vulnerabilities in MyBB 1.2.11 and earlier allow remote attackers to (1) hijack the authentication of moderators or administrators for requests that delete threads via a do_multideletethreads action to moderation.php and (2) hijack the authentication of arbitrary users for requests that delete private messages (PM) via a delete action to private.php."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades de tipo cross-site request forgery (CSRF) en MyBB versi\u00f3n 1.2.11 y anteriores, permiten a los atacantes remotos (1) secuestrar la autenticaci\u00f3n de moderadores o administradores para las peticiones que eliminan hilos (subprocesos) por medio de una acci\u00f3n do_multideletethreads para el archivo moderation.php y (2) secuestran la autenticaci\u00f3n de usuarios arbitrarios para peticiones que eliminan mensajes privados (PM) por medio de una acci\u00f3n delete en private.php."
}
],
"id": "CVE-2008-0788",
"lastModified": "2025-04-09T00:30:58.490",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2008-02-15T01:00:00.000",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://community.mybboard.net/showthread.php?tid=27675"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/28572/"
},
{
"source": "cve@mitre.org",
"url": "http://securityreason.com/securityalert/3656"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://www.securityfocus.com/archive/1/486663"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://www.vupen.com/english/advisories/2008/0238"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://community.mybboard.net/showthread.php?tid=27675"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/28572/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://securityreason.com/securityalert/3656"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.securityfocus.com/archive/1/486663"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://www.vupen.com/english/advisories/2008/0238"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2015-03-18 14:59
Modified
2025-04-12 10:46
Severity ?
Summary
Cross-site request forgery (CSRF) vulnerability in the Admin Control Panel (ACP) login in MyBB (aka MyBulletinBoard) before 1.8.4 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:mybb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AEC41207-93E4-416F-9670-6AC626CF0700",
"versionEndIncluding": "1.8.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site request forgery (CSRF) vulnerability in the Admin Control Panel (ACP) login in MyBB (aka MyBulletinBoard) before 1.8.4 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors."
},
{
"lang": "es",
"value": "Vulnerabilidad de CSRF en el inicio de sesi\u00f3n de Admin Control Panel (ACP) en MyBB (tambi\u00e9n conocido como MyBulletinBoard) anterior a 1.8.4 permite a atacantes remotos secuestrar la autenticaci\u00f3n de victimas no especificadas a trav\u00e9s de vectores desconocidos."
}
],
"id": "CVE-2015-2334",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2015-03-18T14:59:03.827",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://blog.mybb.com/2015/02/15/mybb-1-8-4-released-feature-update-security-maintenance-release/"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/73214"
},
{
"source": "cve@mitre.org",
"url": "http://www.securitytracker.com/id/1031953"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://blog.mybb.com/2015/02/15/mybb-1-8-4-released-feature-update-security-maintenance-release/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/73214"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securitytracker.com/id/1031953"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-01-03 20:15
Modified
2025-04-10 16:15
Severity ?
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Summary
MyBB before 1.8.33 allows Directory Traversal. The Admin CP Languages module allows remote authenticated users, with high privileges, to achieve local file inclusion and execution.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/mybb/mybb/security/advisories/GHSA-cpfv-6f8w-759r | Patch, Release Notes, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/mybb/mybb/security/advisories/GHSA-cpfv-6f8w-759r | Patch, Release Notes, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mybb:mybb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BABCA8C2-04EA-4394-A354-A9B9B4F1BADB",
"versionEndExcluding": "1.8.33",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "MyBB before 1.8.33 allows Directory Traversal. The Admin CP Languages module allows remote authenticated users, with high privileges, to achieve local file inclusion and execution."
},
{
"lang": "es",
"value": "MyBB anterior a 1.8.33 permite Directory Traversal. El m\u00f3dulo Admin CP Languages permite a los usuarios remotos autenticados, con altos privilegios, lograr la inclusi\u00f3n y ejecuci\u00f3n de archivos locales."
}
],
"id": "CVE-2022-45867",
"lastModified": "2025-04-10T16:15:26.493",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2023-01-03T20:15:10.340",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/mybb/mybb/security/advisories/GHSA-cpfv-6f8w-759r"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/mybb/mybb/security/advisories/GHSA-cpfv-6f8w-759r"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
CVE-2023-45556 (GCVE-0-2023-45556)
Vulnerability from cvelistv5
Published
2023-11-06 00:00
Modified
2024-09-05 14:16
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Cross Site Scripting vulnerability in Mybb Mybb Forums v.1.8.33 allows a local attacker to execute arbitrary code via the theme Name parameter in the theme management component.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:21:16.660Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/Or4ngm4n/Mybb/blob/main/MyBB%201.8.33%20Cross%20Site%20Scripting.txt"
},
{
"tags": [
"x_transferred"
],
"url": "https://raw.githubusercontent.com/Or4ngm4n/Mybb/main/Screenshot%202023-10-08%20012112.png"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/mybb/mybb/security/advisories/GHSA-4xqm-3cm2-5xgf"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-45556",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-05T14:16:43.852992Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-05T14:16:56.909Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross Site Scripting vulnerability in Mybb Mybb Forums v.1.8.33 allows a local attacker to execute arbitrary code via the theme Name parameter in the theme management component."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-06T21:40:52.545582",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/Or4ngm4n/Mybb/blob/main/MyBB%201.8.33%20Cross%20Site%20Scripting.txt"
},
{
"url": "https://raw.githubusercontent.com/Or4ngm4n/Mybb/main/Screenshot%202023-10-08%20012112.png"
},
{
"url": "https://github.com/mybb/mybb/security/advisories/GHSA-4xqm-3cm2-5xgf"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-45556",
"datePublished": "2023-11-06T00:00:00",
"dateReserved": "2023-10-09T00:00:00",
"dateUpdated": "2024-09-05T14:16:56.909Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-8103 (GCVE-0-2017-8103)
Vulnerability from cvelistv5
Published
2017-04-24 18:00
Modified
2024-09-16 18:29
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
In MyBB before 1.8.11, the Email MyCode component allows XSS, as demonstrated by an onmouseover event.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T16:27:22.438Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2017/Apr/53"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://blog.mybb.com/2017/04/04/mybb-1-8-11-merge-system-1-8-11-release/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In MyBB before 1.8.11, the Email MyCode component allows XSS, as demonstrated by an onmouseover event."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-04-24T18:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://seclists.org/fulldisclosure/2017/Apr/53"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://blog.mybb.com/2017/04/04/mybb-1-8-11-merge-system-1-8-11-release/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-8103",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In MyBB before 1.8.11, the Email MyCode component allows XSS, as demonstrated by an onmouseover event."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://seclists.org/fulldisclosure/2017/Apr/53",
"refsource": "MISC",
"url": "http://seclists.org/fulldisclosure/2017/Apr/53"
},
{
"name": "https://blog.mybb.com/2017/04/04/mybb-1-8-11-merge-system-1-8-11-release/",
"refsource": "MISC",
"url": "https://blog.mybb.com/2017/04/04/mybb-1-8-11-merge-system-1-8-11-release/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-8103",
"datePublished": "2017-04-24T18:00:00Z",
"dateReserved": "2017-04-24T00:00:00Z",
"dateUpdated": "2024-09-16T18:29:44.703Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-3826 (GCVE-0-2014-3826)
Vulnerability from cvelistv5
Published
2020-02-11 18:48
Modified
2024-08-06 10:57
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Cross-site scripting (XSS) vulnerability in MyBB before 1.6.13 allows remote authenticated users to inject arbitrary web script or HTML via the name parameter in the edit action of the config-profile_fields module.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T10:57:17.832Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://adamziaja.com/poc/201312-xss-mybb.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in MyBB before 1.6.13 allows remote authenticated users to inject arbitrary web script or HTML via the name parameter in the edit action of the config-profile_fields module."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-02-11T18:48:04",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://adamziaja.com/poc/201312-xss-mybb.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-3826",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in MyBB before 1.6.13 allows remote authenticated users to inject arbitrary web script or HTML via the name parameter in the edit action of the config-profile_fields module."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://adamziaja.com/poc/201312-xss-mybb.html",
"refsource": "MISC",
"url": "http://adamziaja.com/poc/201312-xss-mybb.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2014-3826",
"datePublished": "2020-02-11T18:48:04",
"dateReserved": "2014-05-22T00:00:00",
"dateUpdated": "2024-08-06T10:57:17.832Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-2332 (GCVE-0-2015-2332)
Vulnerability from cvelistv5
Published
2015-03-18 14:00
Modified
2024-08-06 05:10
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Cross-site scripting (XSS) vulnerability in member.php in MyBB (aka MyBulletinBoard) before 1.8.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
References
| ► | URL | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T05:10:16.163Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://blog.mybb.com/2015/02/15/mybb-1-8-4-released-feature-update-security-maintenance-release/"
},
{
"name": "73212",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/73212"
},
{
"name": "1031953",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1031953"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-02-15T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in member.php in MyBB (aka MyBulletinBoard) before 1.8.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2016-11-30T18:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://blog.mybb.com/2015/02/15/mybb-1-8-4-released-feature-update-security-maintenance-release/"
},
{
"name": "73212",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/73212"
},
{
"name": "1031953",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id/1031953"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-2332",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in member.php in MyBB (aka MyBulletinBoard) before 1.8.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://blog.mybb.com/2015/02/15/mybb-1-8-4-released-feature-update-security-maintenance-release/",
"refsource": "CONFIRM",
"url": "http://blog.mybb.com/2015/02/15/mybb-1-8-4-released-feature-update-security-maintenance-release/"
},
{
"name": "73212",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/73212"
},
{
"name": "1031953",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id/1031953"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-2332",
"datePublished": "2015-03-18T14:00:00",
"dateReserved": "2015-03-18T00:00:00",
"dateUpdated": "2024-08-06T05:10:16.163Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-16780 (GCVE-0-2017-16780)
Vulnerability from cvelistv5
Published
2017-11-10 23:00
Modified
2024-08-05 20:35
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
The installer in MyBB before 1.8.13 allows remote attackers to execute arbitrary code by writing to the configuration file.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T20:35:20.955Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://blog.mybb.com/2017/11/07/mybb-1-8-13-released-security-maintenance-release/"
},
{
"name": "43136",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/43136/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-11-10T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The installer in MyBB before 1.8.13 allows remote attackers to execute arbitrary code by writing to the configuration file."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-11-20T10:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://blog.mybb.com/2017/11/07/mybb-1-8-13-released-security-maintenance-release/"
},
{
"name": "43136",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "https://www.exploit-db.com/exploits/43136/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-16780",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The installer in MyBB before 1.8.13 allows remote attackers to execute arbitrary code by writing to the configuration file."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://blog.mybb.com/2017/11/07/mybb-1-8-13-released-security-maintenance-release/",
"refsource": "CONFIRM",
"url": "https://blog.mybb.com/2017/11/07/mybb-1-8-13-released-security-maintenance-release/"
},
{
"name": "43136",
"refsource": "EXPLOIT-DB",
"url": "https://www.exploit-db.com/exploits/43136/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-16780",
"datePublished": "2017-11-10T23:00:00",
"dateReserved": "2017-11-10T00:00:00",
"dateUpdated": "2024-08-05T20:35:20.955Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-20225 (GCVE-0-2019-20225)
Vulnerability from cvelistv5
Published
2020-01-02 14:02
Modified
2024-08-05 02:39
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
MyBB before 1.8.22 allows an open redirect on login.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T02:39:09.790Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://blog.mybb.com/2019/12/30/mybb-1-8-22-released-security-maintenance-release/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://mybb.com/versions/1.8.22/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "MyBB before 1.8.22 allows an open redirect on login."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-01-02T14:02:26",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://blog.mybb.com/2019/12/30/mybb-1-8-22-released-security-maintenance-release/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://mybb.com/versions/1.8.22/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-20225",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "MyBB before 1.8.22 allows an open redirect on login."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://blog.mybb.com/2019/12/30/mybb-1-8-22-released-security-maintenance-release/",
"refsource": "MISC",
"url": "https://blog.mybb.com/2019/12/30/mybb-1-8-22-released-security-maintenance-release/"
},
{
"name": "https://mybb.com/versions/1.8.22/",
"refsource": "MISC",
"url": "https://mybb.com/versions/1.8.22/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-20225",
"datePublished": "2020-01-02T14:02:26",
"dateReserved": "2020-01-02T00:00:00",
"dateUpdated": "2024-08-05T02:39:09.790Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-15139 (GCVE-0-2020-15139)
Vulnerability from cvelistv5
Published
2020-08-10 21:35
Modified
2024-08-04 13:08
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
In MyBB before version 1.8.24, the custom MyCode (BBCode) for the visual editor doesn't escape input properly when rendering HTML, resulting in a DOM-based XSS vulnerability. The weakness can be exploited by pointing a victim to a page where the visual editor is active (e.g. as a post or Private Message) and operates on a maliciously crafted MyCode message. This may occur on pages where message content is pre-filled using a GET/POST parameter, or on reply pages where a previously saved malicious message is quoted. After upgrading MyBB to 1.8.24, make sure to update the version attribute in the `codebuttons` template for non-default themes to serve the latest version of the patched `jscripts/bbcodes_sceditor.js` file.
References
| ► | URL | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T13:08:22.286Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/mybb/mybb/security/advisories/GHSA-37h7-vfv6-f8rj"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/mybb/mybb/commit/37ad29dcd25489a37bdd89ebac761f22492558b0"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://mybb.com/versions/1.8.24/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "MyBB",
"vendor": "MyBB",
"versions": [
{
"status": "affected",
"version": "\u003c 1.8.24"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In MyBB before version 1.8.24, the custom MyCode (BBCode) for the visual editor doesn\u0027t escape input properly when rendering HTML, resulting in a DOM-based XSS vulnerability. The weakness can be exploited by pointing a victim to a page where the visual editor is active (e.g. as a post or Private Message) and operates on a maliciously crafted MyCode message. This may occur on pages where message content is pre-filled using a GET/POST parameter, or on reply pages where a previously saved malicious message is quoted. After upgrading MyBB to 1.8.24, make sure to update the version attribute in the `codebuttons` template for non-default themes to serve the latest version of the patched `jscripts/bbcodes_sceditor.js` file."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-08-10T21:35:13",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mybb/mybb/security/advisories/GHSA-37h7-vfv6-f8rj"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mybb/mybb/commit/37ad29dcd25489a37bdd89ebac761f22492558b0"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://mybb.com/versions/1.8.24/"
}
],
"source": {
"advisory": "GHSA-37h7-vfv6-f8rj",
"discovery": "UNKNOWN"
},
"title": "XSS in MyBB",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-15139",
"STATE": "PUBLIC",
"TITLE": "XSS in MyBB"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "MyBB",
"version": {
"version_data": [
{
"version_value": "\u003c 1.8.24"
}
]
}
}
]
},
"vendor_name": "MyBB"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In MyBB before version 1.8.24, the custom MyCode (BBCode) for the visual editor doesn\u0027t escape input properly when rendering HTML, resulting in a DOM-based XSS vulnerability. The weakness can be exploited by pointing a victim to a page where the visual editor is active (e.g. as a post or Private Message) and operates on a maliciously crafted MyCode message. This may occur on pages where message content is pre-filled using a GET/POST parameter, or on reply pages where a previously saved malicious message is quoted. After upgrading MyBB to 1.8.24, make sure to update the version attribute in the `codebuttons` template for non-default themes to serve the latest version of the patched `jscripts/bbcodes_sceditor.js` file."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/mybb/mybb/security/advisories/GHSA-37h7-vfv6-f8rj",
"refsource": "CONFIRM",
"url": "https://github.com/mybb/mybb/security/advisories/GHSA-37h7-vfv6-f8rj"
},
{
"name": "https://github.com/mybb/mybb/commit/37ad29dcd25489a37bdd89ebac761f22492558b0",
"refsource": "MISC",
"url": "https://github.com/mybb/mybb/commit/37ad29dcd25489a37bdd89ebac761f22492558b0"
},
{
"name": "https://mybb.com/versions/1.8.24/",
"refsource": "MISC",
"url": "https://mybb.com/versions/1.8.24/"
}
]
},
"source": {
"advisory": "GHSA-37h7-vfv6-f8rj",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-15139",
"datePublished": "2020-08-10T21:35:13",
"dateReserved": "2020-06-25T00:00:00",
"dateUpdated": "2024-08-04T13:08:22.286Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-45867 (GCVE-0-2022-45867)
Vulnerability from cvelistv5
Published
2023-01-03 00:00
Modified
2025-04-10 15:24
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
MyBB before 1.8.33 allows Directory Traversal. The Admin CP Languages module allows remote authenticated users, with high privileges, to achieve local file inclusion and execution.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T14:24:03.022Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/mybb/mybb/security/advisories/GHSA-cpfv-6f8w-759r"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-45867",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-10T15:23:56.989618Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-10T15:24:04.427Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "MyBB before 1.8.33 allows Directory Traversal. The Admin CP Languages module allows remote authenticated users, with high privileges, to achieve local file inclusion and execution."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-03T00:00:00.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/mybb/mybb/security/advisories/GHSA-cpfv-6f8w-759r"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-45867",
"datePublished": "2023-01-03T00:00:00.000Z",
"dateReserved": "2022-11-23T00:00:00.000Z",
"dateUpdated": "2025-04-10T15:24:04.427Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-1000502 (GCVE-0-2018-1000502)
Vulnerability from cvelistv5
Published
2018-06-26 16:00
Modified
2024-08-05 12:40
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
MyBB Group MyBB contains a File Inclusion vulnerability in Admin panel (Tools and Maintenance -> Task Manager -> Add New Task) that can result in Allows Local File Inclusion on modern PHP versions and Remote File Inclusion on ancient PHP versions. This attack appear to be exploitable via Must have access to admin panel. This vulnerability appears to have been fixed in 1.8.15.
References
| ► | URL | Tags |
|---|---|---|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T12:40:47.006Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.batterystapl.es/2018/03/local-file-inclusion-and-reading.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://blog.mybb.com/2018/03/15/mybb-1-8-15-released-security-maintenance-release/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"dateAssigned": "2018-06-23T00:00:00",
"datePublic": "2018-06-26T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "MyBB Group MyBB contains a File Inclusion vulnerability in Admin panel (Tools and Maintenance -\u003e Task Manager -\u003e Add New Task) that can result in Allows Local File Inclusion on modern PHP versions and Remote File Inclusion on ancient PHP versions. This attack appear to be exploitable via Must have access to admin panel. This vulnerability appears to have been fixed in 1.8.15."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-06-26T15:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.batterystapl.es/2018/03/local-file-inclusion-and-reading.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://blog.mybb.com/2018/03/15/mybb-1-8-15-released-security-maintenance-release/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"DATE_ASSIGNED": "2018-06-23T11:22:33.002399",
"DATE_REQUESTED": "2018-04-07T06:34:59",
"ID": "CVE-2018-1000502",
"REQUESTER": "riley@mailo.com",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "MyBB Group MyBB contains a File Inclusion vulnerability in Admin panel (Tools and Maintenance -\u003e Task Manager -\u003e Add New Task) that can result in Allows Local File Inclusion on modern PHP versions and Remote File Inclusion on ancient PHP versions. This attack appear to be exploitable via Must have access to admin panel. This vulnerability appears to have been fixed in 1.8.15."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://www.batterystapl.es/2018/03/local-file-inclusion-and-reading.html",
"refsource": "MISC",
"url": "http://www.batterystapl.es/2018/03/local-file-inclusion-and-reading.html"
},
{
"name": "https://blog.mybb.com/2018/03/15/mybb-1-8-15-released-security-maintenance-release/",
"refsource": "MISC",
"url": "https://blog.mybb.com/2018/03/15/mybb-1-8-15-released-security-maintenance-release/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-1000502",
"datePublished": "2018-06-26T16:00:00",
"dateReserved": "2018-04-07T00:00:00",
"dateUpdated": "2024-08-05T12:40:47.006Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-12830 (GCVE-0-2019-12830)
Vulnerability from cvelistv5
Published
2019-06-15 17:04
Modified
2024-08-04 23:32
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
In MyBB before 1.8.21, an attacker can exploit a parsing flaw in the Private Message / Post renderer that leads to [video] BBCode persistent XSS to take over any forum account, aka a nested video MyCode issue.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T23:32:55.480Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://blog.ripstech.com/2019/mybb-stored-xss-to-rce/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://blog.mybb.com/2019/06/10/mybb-1-8-21-released-security-maintenance-release/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In MyBB before 1.8.21, an attacker can exploit a parsing flaw in the Private Message / Post renderer that leads to [video] BBCode persistent XSS to take over any forum account, aka a nested video MyCode issue."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-06-15T17:04:50",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://blog.ripstech.com/2019/mybb-stored-xss-to-rce/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://blog.mybb.com/2019/06/10/mybb-1-8-21-released-security-maintenance-release/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-12830",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In MyBB before 1.8.21, an attacker can exploit a parsing flaw in the Private Message / Post renderer that leads to [video] BBCode persistent XSS to take over any forum account, aka a nested video MyCode issue."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://blog.ripstech.com/2019/mybb-stored-xss-to-rce/",
"refsource": "MISC",
"url": "https://blog.ripstech.com/2019/mybb-stored-xss-to-rce/"
},
{
"name": "https://blog.mybb.com/2019/06/10/mybb-1-8-21-released-security-maintenance-release/",
"refsource": "MISC",
"url": "https://blog.mybb.com/2019/06/10/mybb-1-8-21-released-security-maintenance-release/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-12830",
"datePublished": "2019-06-15T17:04:50",
"dateReserved": "2019-06-15T00:00:00",
"dateUpdated": "2024-08-04T23:32:55.480Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2008-3070 (GCVE-0-2008-3070)
Vulnerability from cvelistv5
Published
2008-07-08 18:00
Modified
2024-08-07 09:21
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Unspecified vulnerability in inc/datahandler/user.php in MyBB before 1.2.13 has unknown impact and attack vectors related to the $user['language'] variable, probably related to SQL injection.
References
| ► | URL | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T09:21:35.046Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://community.mybboard.net/attachment.php?aid=9272"
},
{
"name": "31013",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/31013"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://community.mybboard.net/showthread.php?tid=31666"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2008-05-21T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Unspecified vulnerability in inc/datahandler/user.php in MyBB before 1.2.13 has unknown impact and attack vectors related to the $user[\u0027language\u0027] variable, probably related to SQL injection."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2012-11-27T10:00:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://community.mybboard.net/attachment.php?aid=9272"
},
{
"name": "31013",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/31013"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://community.mybboard.net/showthread.php?tid=31666"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2008-3070",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Unspecified vulnerability in inc/datahandler/user.php in MyBB before 1.2.13 has unknown impact and attack vectors related to the $user[\u0027language\u0027] variable, probably related to SQL injection."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://community.mybboard.net/attachment.php?aid=9272",
"refsource": "CONFIRM",
"url": "http://community.mybboard.net/attachment.php?aid=9272"
},
{
"name": "31013",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/31013"
},
{
"name": "http://community.mybboard.net/showthread.php?tid=31666",
"refsource": "CONFIRM",
"url": "http://community.mybboard.net/showthread.php?tid=31666"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2008-3070",
"datePublished": "2008-07-08T18:00:00",
"dateReserved": "2008-07-08T00:00:00",
"dateUpdated": "2024-08-07T09:21:35.046Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-9407 (GCVE-0-2016-9407)
Vulnerability from cvelistv5
Published
2017-01-31 22:00
Modified
2024-08-06 02:50
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Cross-site scripting (XSS) vulnerability in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 might allow remote attackers to inject arbitrary web script or HTML via vectors involving Mod control panel logs.
References
| ► | URL | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T02:50:37.683Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "94395",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/94395"
},
{
"name": "[oss-security] 20161117 Re: CVE request: MyBB multiple vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/18/1"
},
{
"name": "[oss-security] 20161110 CVE request: MyBB multiple vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/10/8"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://blog.mybb.com/2016/03/11/mybb-1-8-7-merge-system-1-8-7-release/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-03-11T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 might allow remote attackers to inject arbitrary web script or HTML via vectors involving Mod control panel logs."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-02-01T10:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "94395",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/94395"
},
{
"name": "[oss-security] 20161117 Re: CVE request: MyBB multiple vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/18/1"
},
{
"name": "[oss-security] 20161110 CVE request: MyBB multiple vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/10/8"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://blog.mybb.com/2016/03/11/mybb-1-8-7-merge-system-1-8-7-release/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-9407",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 might allow remote attackers to inject arbitrary web script or HTML via vectors involving Mod control panel logs."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "94395",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/94395"
},
{
"name": "[oss-security] 20161117 Re: CVE request: MyBB multiple vulnerabilities",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2016/11/18/1"
},
{
"name": "[oss-security] 20161110 CVE request: MyBB multiple vulnerabilities",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2016/11/10/8"
},
{
"name": "https://blog.mybb.com/2016/03/11/mybb-1-8-7-merge-system-1-8-7-release/",
"refsource": "CONFIRM",
"url": "https://blog.mybb.com/2016/03/11/mybb-1-8-7-merge-system-1-8-7-release/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-9407",
"datePublished": "2017-01-31T22:00:00",
"dateReserved": "2016-11-17T00:00:00",
"dateUpdated": "2024-08-06T02:50:37.683Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2008-4929 (GCVE-0-2008-4929)
Vulnerability from cvelistv5
Published
2008-11-04 20:00
Modified
2025-01-17 15:22
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
MyBB (aka MyBulletinBoard) 1.4.2 uses insufficient randomness to compose filenames of uploaded files used as attachments, which makes it easier for remote attackers to read these files by guessing filenames.
References
| ► | URL | Tags | |||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T10:31:28.329Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "31936",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/31936"
},
{
"name": "20081027 MyBB 1.4.2: Multiple Vulnerabilties",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://archives.neohapsis.com/archives/bugtraq/2008-10/0203.html"
},
{
"name": "ADV-2008-2967",
"tags": [
"vdb-entry",
"x_refsource_VUPEN",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2008/2967"
},
{
"name": "20081027 MyBB 1.4.2: Multiple Vulnerabilties",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://archives.neohapsis.com/archives/fulldisclosure/2008-10/0472.html"
},
{
"name": "[oss-security] 20081101 CVE request (Fwd: MyBB 1.4.2: Multiple Vulnerabilties)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2008/11/01/2"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2008-4929",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-14T18:30:55.573662Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-17T15:22:15.716Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2008-10-27T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "MyBB (aka MyBulletinBoard) 1.4.2 uses insufficient randomness to compose filenames of uploaded files used as attachments, which makes it easier for remote attackers to read these files by guessing filenames."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2008-11-15T10:00:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "31936",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/31936"
},
{
"name": "20081027 MyBB 1.4.2: Multiple Vulnerabilties",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://archives.neohapsis.com/archives/bugtraq/2008-10/0203.html"
},
{
"name": "ADV-2008-2967",
"tags": [
"vdb-entry",
"x_refsource_VUPEN"
],
"url": "http://www.vupen.com/english/advisories/2008/2967"
},
{
"name": "20081027 MyBB 1.4.2: Multiple Vulnerabilties",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://archives.neohapsis.com/archives/fulldisclosure/2008-10/0472.html"
},
{
"name": "[oss-security] 20081101 CVE request (Fwd: MyBB 1.4.2: Multiple Vulnerabilties)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2008/11/01/2"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2008-4929",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "MyBB (aka MyBulletinBoard) 1.4.2 uses insufficient randomness to compose filenames of uploaded files used as attachments, which makes it easier for remote attackers to read these files by guessing filenames."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "31936",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/31936"
},
{
"name": "20081027 MyBB 1.4.2: Multiple Vulnerabilties",
"refsource": "BUGTRAQ",
"url": "http://archives.neohapsis.com/archives/bugtraq/2008-10/0203.html"
},
{
"name": "ADV-2008-2967",
"refsource": "VUPEN",
"url": "http://www.vupen.com/english/advisories/2008/2967"
},
{
"name": "20081027 MyBB 1.4.2: Multiple Vulnerabilties",
"refsource": "FULLDISC",
"url": "http://archives.neohapsis.com/archives/fulldisclosure/2008-10/0472.html"
},
{
"name": "[oss-security] 20081101 CVE request (Fwd: MyBB 1.4.2: Multiple Vulnerabilties)",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2008/11/01/2"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2008-4929",
"datePublished": "2008-11-04T20:00:00",
"dateReserved": "2008-11-04T00:00:00",
"dateUpdated": "2025-01-17T15:22:15.716Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-9241 (GCVE-0-2014-9241)
Vulnerability from cvelistv5
Published
2014-12-03 21:00
Modified
2024-09-16 23:42
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Multiple cross-site scripting (XSS) vulnerabilities in MyBB (aka MyBulletinBoard) 1.8.x before 1.8.2 allow remote attackers to inject arbitrary web script or HTML via the (1) type parameter to report.php, (2) signature parameter in a do_editsig action to usercp.php, or (3) title parameter in the style-templates module in an edit_template action or (4) file parameter in the config-languages module in an edit action to admin/index.php.
References
| ► | URL | Tags |
|---|---|---|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T13:40:24.988Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://blog.mybb.com/2014/11/13/mybb-1-8-2-released-security-release/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/129109/MyBB-1.8.1-Cross-Site-Scripting-SQL-Injection.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in MyBB (aka MyBulletinBoard) 1.8.x before 1.8.2 allow remote attackers to inject arbitrary web script or HTML via the (1) type parameter to report.php, (2) signature parameter in a do_editsig action to usercp.php, or (3) title parameter in the style-templates module in an edit_template action or (4) file parameter in the config-languages module in an edit action to admin/index.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-12-03T21:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://blog.mybb.com/2014/11/13/mybb-1-8-2-released-security-release/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/129109/MyBB-1.8.1-Cross-Site-Scripting-SQL-Injection.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-9241",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in MyBB (aka MyBulletinBoard) 1.8.x before 1.8.2 allow remote attackers to inject arbitrary web script or HTML via the (1) type parameter to report.php, (2) signature parameter in a do_editsig action to usercp.php, or (3) title parameter in the style-templates module in an edit_template action or (4) file parameter in the config-languages module in an edit action to admin/index.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://blog.mybb.com/2014/11/13/mybb-1-8-2-released-security-release/",
"refsource": "CONFIRM",
"url": "http://blog.mybb.com/2014/11/13/mybb-1-8-2-released-security-release/"
},
{
"name": "http://packetstormsecurity.com/files/129109/MyBB-1.8.1-Cross-Site-Scripting-SQL-Injection.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/129109/MyBB-1.8.1-Cross-Site-Scripting-SQL-Injection.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2014-9241",
"datePublished": "2014-12-03T21:00:00Z",
"dateReserved": "2014-12-03T00:00:00Z",
"dateUpdated": "2024-09-16T23:42:18.530Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2011-5132 (GCVE-0-2011-5132)
Vulnerability from cvelistv5
Published
2012-08-30 22:00
Modified
2024-08-07 00:23
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Cross-site scripting (XSS) vulnerability in MyBB before 1.6.5 allows remote attackers to inject arbitrary web script or HTML via vectors related to "usernames via AJAX."
References
| ► | URL | Tags | |||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T00:23:40.249Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "mybb-username-xss(71461)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/71461"
},
{
"name": "46951",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/46951"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://blog.mybb.com/2011/11/25/mybb-1-6-5-released-feature-update-security-maintenance-release/"
},
{
"name": "50816",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/50816"
},
{
"name": "77326",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://www.osvdb.org/77326"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2011-10-08T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in MyBB before 1.6.5 allows remote attackers to inject arbitrary web script or HTML via vectors related to \"usernames via AJAX.\""
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-28T12:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "mybb-username-xss(71461)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/71461"
},
{
"name": "46951",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/46951"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://blog.mybb.com/2011/11/25/mybb-1-6-5-released-feature-update-security-maintenance-release/"
},
{
"name": "50816",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/50816"
},
{
"name": "77326",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://www.osvdb.org/77326"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2011-5132",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in MyBB before 1.6.5 allows remote attackers to inject arbitrary web script or HTML via vectors related to \"usernames via AJAX.\""
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "mybb-username-xss(71461)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/71461"
},
{
"name": "46951",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/46951"
},
{
"name": "http://blog.mybb.com/2011/11/25/mybb-1-6-5-released-feature-update-security-maintenance-release/",
"refsource": "CONFIRM",
"url": "http://blog.mybb.com/2011/11/25/mybb-1-6-5-released-feature-update-security-maintenance-release/"
},
{
"name": "50816",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/50816"
},
{
"name": "77326",
"refsource": "OSVDB",
"url": "http://www.osvdb.org/77326"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2011-5132",
"datePublished": "2012-08-30T22:00:00",
"dateReserved": "2012-08-30T00:00:00",
"dateUpdated": "2024-08-07T00:23:40.249Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-46251 (GCVE-0-2023-46251)
Vulnerability from cvelistv5
Published
2023-11-06 17:41
Modified
2024-09-04 19:32
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
MyBB is a free and open source forum software. Custom MyCode (BBCode) for the visual editor (_SCEditor_) doesn't escape input properly when rendering HTML, resulting in a DOM-based XSS vulnerability. This weakness can be exploited by pointing a victim to a page where the visual editor is active (e.g. as a post or Private Message) and operates on a maliciously crafted MyCode message. This may occur on pages where message content is pre-filled using a GET/POST parameter, or on reply pages where a previously saved malicious message is quoted. The impact is be mitigated when: 1. the visual editor is disabled globally (_Admin CP → Configuration → Settings → Clickable Smilies and BB Code: [Clickable MyCode Editor](https://github.com/mybb/mybb/blob/mybb_1836/install/resources/settings.xml#L2087-L2094)_ is set to _Off_), or 2. the visual editor is disabled for individual user accounts (_User CP → Your Profile → Edit Options_: _Show the MyCode formatting options on the posting pages_ checkbox is not checked). MyBB 1.8.37 resolves this issue with the commit `6dcaf0b4d`. Users are advised to upgrade. Users unable to upgrade may mitigate the impact without upgrading MyBB by changing the following setting (_Admin CP → Configuration → Settings_):
- _Clickable Smilies and BB Code → [Clickable MyCode Editor](https://github.com/mybb/mybb/blob/mybb_1836/install/resources/settings.xml#L2087-L2094)_: _Off_. Similarly, individual MyBB forum users are able to disable the visual editor by diabling the account option (_User CP → Your Profile → Edit Options_) _Show the MyCode formatting options on the posting pages_.
References
| ► | URL | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:37:40.233Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/mybb/mybb/security/advisories/GHSA-wj33-q7vj-9fr8",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/mybb/mybb/security/advisories/GHSA-wj33-q7vj-9fr8"
},
{
"name": "https://github.com/mybb/mybb/commit/6dcaf0b4db6254f1833fe8dae295d9ddc2219276",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/mybb/mybb/commit/6dcaf0b4db6254f1833fe8dae295d9ddc2219276"
},
{
"name": "https://mybb.com/versions/1.8.37/",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://mybb.com/versions/1.8.37/"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:mybb:mybb:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "mybb",
"vendor": "mybb",
"versions": [
{
"lessThan": "1.8.37",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-46251",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-04T19:26:53.568111Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-04T19:32:41.984Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mybb",
"vendor": "mybb",
"versions": [
{
"status": "affected",
"version": "\u003c 1.8.37"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": " MyBB is a free and open source forum software. Custom MyCode (BBCode) for the visual editor (_SCEditor_) doesn\u0027t escape input properly when rendering HTML, resulting in a DOM-based XSS vulnerability. This weakness can be exploited by pointing a victim to a page where the visual editor is active (e.g. as a post or Private Message) and operates on a maliciously crafted MyCode message. This may occur on pages where message content is pre-filled using a GET/POST parameter, or on reply pages where a previously saved malicious message is quoted. The impact is be mitigated when: 1. the visual editor is disabled globally (_Admin CP \u2192 Configuration \u2192 Settings \u2192 Clickable Smilies and BB Code: [Clickable MyCode Editor](https://github.com/mybb/mybb/blob/mybb_1836/install/resources/settings.xml#L2087-L2094)_ is set to _Off_), or 2. the visual editor is disabled for individual user accounts (_User CP \u2192 Your Profile \u2192 Edit Options_: _Show the MyCode formatting options on the posting pages_ checkbox is not checked). MyBB 1.8.37 resolves this issue with the commit `6dcaf0b4d`. Users are advised to upgrade. Users unable to upgrade may mitigate the impact without upgrading MyBB by changing the following setting (_Admin CP \u2192 Configuration \u2192 Settings_):\n- _Clickable Smilies and BB Code \u2192 [Clickable MyCode Editor](https://github.com/mybb/mybb/blob/mybb_1836/install/resources/settings.xml#L2087-L2094)_: _Off_. Similarly, individual MyBB forum users are able to disable the visual editor by diabling the account option (_User CP \u2192 Your Profile \u2192 Edit Options_) _Show the MyCode formatting options on the posting pages_."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-06T17:41:30.378Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mybb/mybb/security/advisories/GHSA-wj33-q7vj-9fr8",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mybb/mybb/security/advisories/GHSA-wj33-q7vj-9fr8"
},
{
"name": "https://github.com/mybb/mybb/commit/6dcaf0b4db6254f1833fe8dae295d9ddc2219276",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mybb/mybb/commit/6dcaf0b4db6254f1833fe8dae295d9ddc2219276"
},
{
"name": "https://mybb.com/versions/1.8.37/",
"tags": [
"x_refsource_MISC"
],
"url": "https://mybb.com/versions/1.8.37/"
}
],
"source": {
"advisory": "GHSA-wj33-q7vj-9fr8",
"discovery": "UNKNOWN"
},
"title": "Visual editor persistent Cross-site Scripting (XSS) in MyBB"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-46251",
"datePublished": "2023-11-06T17:41:30.378Z",
"dateReserved": "2023-10-19T20:34:00.948Z",
"dateUpdated": "2024-09-04T19:32:41.984Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-2149 (GCVE-0-2015-2149)
Vulnerability from cvelistv5
Published
2015-03-18 14:00
Modified
2024-08-06 05:02
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Multiple cross-site scripting (XSS) vulnerabilities in the administrative backend in MyBB (aka MyBulletinBoard) before 1.8.4 allow remote authenticated users to inject arbitrary web script or HTML via the (1) MIME-type field in an add action in the config-attachment_types module to admin/index.php; (2) title or (3) short description field in an add action in the (a) config-mycode or (b) user-groups module to admin/index.php; (4) title field in an add action in the (c) forum-management or (d) tool-tasks module to admin/index.php; (5) name field in an add_set action in the style-templates module to admin/index.php; (6) title field in an add_template_group action in the style-templates module to admin/index.php; (7) name field in an add action in the config-post_icons module to admin/index.php; (8) "title to assign" field in an add action in the user-titles module to admin/index.php; or (9) username field in the config-banning module to admin/index.php.
References
| ► | URL | Tags | |||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T05:02:43.413Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://blog.mybb.com/2015/02/15/mybb-1-8-4-released-feature-update-security-maintenance-release/"
},
{
"name": "72738",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/72738"
},
{
"name": "[oss-security] 20150221 CVE-Request -- MyBB v. 1.8.3 -- Multiple stored XSS-vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://seclists.org/oss-sec/2015/q1/629"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://sroesemann.blogspot.de/2015/02/sroeadv-2015-15.html"
},
{
"name": "20150221 Multiple stored XSS-vulnerabilities in MyBB v. 1.8.3",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2015/Feb/80"
},
{
"name": "1031953",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1031953"
},
{
"name": "[oss-security] 20150227 Re: CVE-Request -- MyBB v. 1.8.3 -- Multiple stored XSS-vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://seclists.org/oss-sec/2015/q1/705"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-02-19T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in the administrative backend in MyBB (aka MyBulletinBoard) before 1.8.4 allow remote authenticated users to inject arbitrary web script or HTML via the (1) MIME-type field in an add action in the config-attachment_types module to admin/index.php; (2) title or (3) short description field in an add action in the (a) config-mycode or (b) user-groups module to admin/index.php; (4) title field in an add action in the (c) forum-management or (d) tool-tasks module to admin/index.php; (5) name field in an add_set action in the style-templates module to admin/index.php; (6) title field in an add_template_group action in the style-templates module to admin/index.php; (7) name field in an add action in the config-post_icons module to admin/index.php; (8) \"title to assign\" field in an add action in the user-titles module to admin/index.php; or (9) username field in the config-banning module to admin/index.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2016-06-15T11:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://blog.mybb.com/2015/02/15/mybb-1-8-4-released-feature-update-security-maintenance-release/"
},
{
"name": "72738",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/72738"
},
{
"name": "[oss-security] 20150221 CVE-Request -- MyBB v. 1.8.3 -- Multiple stored XSS-vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://seclists.org/oss-sec/2015/q1/629"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://sroesemann.blogspot.de/2015/02/sroeadv-2015-15.html"
},
{
"name": "20150221 Multiple stored XSS-vulnerabilities in MyBB v. 1.8.3",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2015/Feb/80"
},
{
"name": "1031953",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id/1031953"
},
{
"name": "[oss-security] 20150227 Re: CVE-Request -- MyBB v. 1.8.3 -- Multiple stored XSS-vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://seclists.org/oss-sec/2015/q1/705"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-2149",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in the administrative backend in MyBB (aka MyBulletinBoard) before 1.8.4 allow remote authenticated users to inject arbitrary web script or HTML via the (1) MIME-type field in an add action in the config-attachment_types module to admin/index.php; (2) title or (3) short description field in an add action in the (a) config-mycode or (b) user-groups module to admin/index.php; (4) title field in an add action in the (c) forum-management or (d) tool-tasks module to admin/index.php; (5) name field in an add_set action in the style-templates module to admin/index.php; (6) title field in an add_template_group action in the style-templates module to admin/index.php; (7) name field in an add action in the config-post_icons module to admin/index.php; (8) \"title to assign\" field in an add action in the user-titles module to admin/index.php; or (9) username field in the config-banning module to admin/index.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://blog.mybb.com/2015/02/15/mybb-1-8-4-released-feature-update-security-maintenance-release/",
"refsource": "CONFIRM",
"url": "http://blog.mybb.com/2015/02/15/mybb-1-8-4-released-feature-update-security-maintenance-release/"
},
{
"name": "72738",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/72738"
},
{
"name": "[oss-security] 20150221 CVE-Request -- MyBB v. 1.8.3 -- Multiple stored XSS-vulnerabilities",
"refsource": "MLIST",
"url": "http://seclists.org/oss-sec/2015/q1/629"
},
{
"name": "http://sroesemann.blogspot.de/2015/02/sroeadv-2015-15.html",
"refsource": "MISC",
"url": "http://sroesemann.blogspot.de/2015/02/sroeadv-2015-15.html"
},
{
"name": "20150221 Multiple stored XSS-vulnerabilities in MyBB v. 1.8.3",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2015/Feb/80"
},
{
"name": "1031953",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id/1031953"
},
{
"name": "[oss-security] 20150227 Re: CVE-Request -- MyBB v. 1.8.3 -- Multiple stored XSS-vulnerabilities",
"refsource": "MLIST",
"url": "http://seclists.org/oss-sec/2015/q1/705"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-2149",
"datePublished": "2015-03-18T14:00:00",
"dateReserved": "2015-02-27T00:00:00",
"dateUpdated": "2024-08-06T05:02:43.413Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-9413 (GCVE-0-2016-9413)
Vulnerability from cvelistv5
Published
2017-01-31 22:00
Modified
2024-08-06 02:50
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
The Admin control panel in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 allows remote attackers to conduct clickjacking attacks via unspecified vectors.
References
| ► | URL | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T02:50:37.728Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "94395",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/94395"
},
{
"name": "[oss-security] 20161117 Re: CVE request: MyBB multiple vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/18/1"
},
{
"name": "[oss-security] 20161110 CVE request: MyBB multiple vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/10/8"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://blog.mybb.com/2016/03/11/mybb-1-8-7-merge-system-1-8-7-release/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-03-11T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The Admin control panel in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 allows remote attackers to conduct clickjacking attacks via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-02-01T10:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "94395",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/94395"
},
{
"name": "[oss-security] 20161117 Re: CVE request: MyBB multiple vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/18/1"
},
{
"name": "[oss-security] 20161110 CVE request: MyBB multiple vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/10/8"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://blog.mybb.com/2016/03/11/mybb-1-8-7-merge-system-1-8-7-release/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-9413",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Admin control panel in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 allows remote attackers to conduct clickjacking attacks via unspecified vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "94395",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/94395"
},
{
"name": "[oss-security] 20161117 Re: CVE request: MyBB multiple vulnerabilities",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2016/11/18/1"
},
{
"name": "[oss-security] 20161110 CVE request: MyBB multiple vulnerabilities",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2016/11/10/8"
},
{
"name": "https://blog.mybb.com/2016/03/11/mybb-1-8-7-merge-system-1-8-7-release/",
"refsource": "CONFIRM",
"url": "https://blog.mybb.com/2016/03/11/mybb-1-8-7-merge-system-1-8-7-release/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-9413",
"datePublished": "2017-01-31T22:00:00",
"dateReserved": "2016-11-17T00:00:00",
"dateUpdated": "2024-08-06T02:50:37.728Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-2334 (GCVE-0-2015-2334)
Vulnerability from cvelistv5
Published
2015-03-18 14:00
Modified
2024-08-06 05:10
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Cross-site request forgery (CSRF) vulnerability in the Admin Control Panel (ACP) login in MyBB (aka MyBulletinBoard) before 1.8.4 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.
References
| ► | URL | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T05:10:16.265Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://blog.mybb.com/2015/02/15/mybb-1-8-4-released-feature-update-security-maintenance-release/"
},
{
"name": "73214",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/73214"
},
{
"name": "1031953",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1031953"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-02-15T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site request forgery (CSRF) vulnerability in the Admin Control Panel (ACP) login in MyBB (aka MyBulletinBoard) before 1.8.4 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2016-11-30T18:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://blog.mybb.com/2015/02/15/mybb-1-8-4-released-feature-update-security-maintenance-release/"
},
{
"name": "73214",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/73214"
},
{
"name": "1031953",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id/1031953"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-2334",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site request forgery (CSRF) vulnerability in the Admin Control Panel (ACP) login in MyBB (aka MyBulletinBoard) before 1.8.4 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://blog.mybb.com/2015/02/15/mybb-1-8-4-released-feature-update-security-maintenance-release/",
"refsource": "CONFIRM",
"url": "http://blog.mybb.com/2015/02/15/mybb-1-8-4-released-feature-update-security-maintenance-release/"
},
{
"name": "73214",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/73214"
},
{
"name": "1031953",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id/1031953"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-2334",
"datePublished": "2015-03-18T14:00:00",
"dateReserved": "2015-03-18T00:00:00",
"dateUpdated": "2024-08-06T05:10:16.265Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-27279 (GCVE-0-2021-27279)
Vulnerability from cvelistv5
Published
2021-02-22 19:04
Modified
2024-08-03 20:48
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
MyBB before 1.8.25 allows stored XSS via nested [email] tags with MyCode (aka BBCode).
References
| ► | URL | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T20:48:16.072Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://mybb.com/versions/1.8.25/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/mybb/mybb/security/advisories/GHSA-6483-hcpp-p75w"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/mybb/mybb/commit/cb781b49116bf5c4d8deca3e17498122b701677a"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "MyBB before 1.8.25 allows stored XSS via nested [email] tags with MyCode (aka BBCode)."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-02-22T19:04:20",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://mybb.com/versions/1.8.25/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mybb/mybb/security/advisories/GHSA-6483-hcpp-p75w"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mybb/mybb/commit/cb781b49116bf5c4d8deca3e17498122b701677a"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-27279",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "MyBB before 1.8.25 allows stored XSS via nested [email] tags with MyCode (aka BBCode)."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mybb.com/versions/1.8.25/",
"refsource": "MISC",
"url": "https://mybb.com/versions/1.8.25/"
},
{
"name": "https://github.com/mybb/mybb/security/advisories/GHSA-6483-hcpp-p75w",
"refsource": "CONFIRM",
"url": "https://github.com/mybb/mybb/security/advisories/GHSA-6483-hcpp-p75w"
},
{
"name": "https://github.com/mybb/mybb/commit/cb781b49116bf5c4d8deca3e17498122b701677a",
"refsource": "CONFIRM",
"url": "https://github.com/mybb/mybb/commit/cb781b49116bf5c4d8deca3e17498122b701677a"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-27279",
"datePublished": "2021-02-22T19:04:20",
"dateReserved": "2021-02-16T00:00:00",
"dateUpdated": "2024-08-03T20:48:16.072Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2006-0442 (GCVE-0-2006-0442)
Vulnerability from cvelistv5
Published
2006-01-26 22:00
Modified
2024-08-07 16:34
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Multiple cross-site scripting (XSS) vulnerabilities in usercp.php in MyBulletinBoard (MyBB) 1.02 allow remote attackers to inject arbitrary web script or HTML via the (1) notepad parameter in a notepad action and (2) signature parameter in an editsig action. NOTE: These are different attack vectors, and probably a different vulnerability, than CVE-2006-0218 and CVE-2006-0219.
References
| ► | URL | Tags | ||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T16:34:14.871Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://kapda.ir/advisory-241.html"
},
{
"name": "18603",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/18603"
},
{
"name": "20060124 [KAPDA::#25] - MyBB 1.x Cross_Site_Scripting",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/423128/100/0/threaded"
},
{
"name": "1015535",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://securitytracker.com/id?1015535"
},
{
"name": "ADV-2006-0316",
"tags": [
"vdb-entry",
"x_refsource_VUPEN",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2006/0316"
},
{
"name": "16361",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/16361"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2006-01-21T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in usercp.php in MyBulletinBoard (MyBB) 1.02 allow remote attackers to inject arbitrary web script or HTML via the (1) notepad parameter in a notepad action and (2) signature parameter in an editsig action. NOTE: These are different attack vectors, and probably a different vulnerability, than CVE-2006-0218 and CVE-2006-0219."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-19T14:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://kapda.ir/advisory-241.html"
},
{
"name": "18603",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/18603"
},
{
"name": "20060124 [KAPDA::#25] - MyBB 1.x Cross_Site_Scripting",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/423128/100/0/threaded"
},
{
"name": "1015535",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://securitytracker.com/id?1015535"
},
{
"name": "ADV-2006-0316",
"tags": [
"vdb-entry",
"x_refsource_VUPEN"
],
"url": "http://www.vupen.com/english/advisories/2006/0316"
},
{
"name": "16361",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/16361"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2006-0442",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in usercp.php in MyBulletinBoard (MyBB) 1.02 allow remote attackers to inject arbitrary web script or HTML via the (1) notepad parameter in a notepad action and (2) signature parameter in an editsig action. NOTE: These are different attack vectors, and probably a different vulnerability, than CVE-2006-0218 and CVE-2006-0219."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://kapda.ir/advisory-241.html",
"refsource": "MISC",
"url": "http://kapda.ir/advisory-241.html"
},
{
"name": "18603",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/18603"
},
{
"name": "20060124 [KAPDA::#25] - MyBB 1.x Cross_Site_Scripting",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/423128/100/0/threaded"
},
{
"name": "1015535",
"refsource": "SECTRACK",
"url": "http://securitytracker.com/id?1015535"
},
{
"name": "ADV-2006-0316",
"refsource": "VUPEN",
"url": "http://www.vupen.com/english/advisories/2006/0316"
},
{
"name": "16361",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/16361"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2006-0442",
"datePublished": "2006-01-26T22:00:00",
"dateReserved": "2006-01-26T00:00:00",
"dateUpdated": "2024-08-07T16:34:14.871Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-8104 (GCVE-0-2017-8104)
Vulnerability from cvelistv5
Published
2017-04-24 18:00
Modified
2024-08-05 16:27
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
In MyBB before 1.8.11, the smilie module allows Directory Traversal via the pathfolder parameter.
References
| ► | URL | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T16:27:22.549Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2017/Apr/55"
},
{
"name": "98045",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/98045"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://blog.mybb.com/2017/04/04/mybb-1-8-11-merge-system-1-8-11-release/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-04-24T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "In MyBB before 1.8.11, the smilie module allows Directory Traversal via the pathfolder parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-04-28T09:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://seclists.org/fulldisclosure/2017/Apr/55"
},
{
"name": "98045",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/98045"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://blog.mybb.com/2017/04/04/mybb-1-8-11-merge-system-1-8-11-release/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-8104",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In MyBB before 1.8.11, the smilie module allows Directory Traversal via the pathfolder parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://seclists.org/fulldisclosure/2017/Apr/55",
"refsource": "MISC",
"url": "http://seclists.org/fulldisclosure/2017/Apr/55"
},
{
"name": "98045",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/98045"
},
{
"name": "https://blog.mybb.com/2017/04/04/mybb-1-8-11-merge-system-1-8-11-release/",
"refsource": "MISC",
"url": "https://blog.mybb.com/2017/04/04/mybb-1-8-11-merge-system-1-8-11-release/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-8104",
"datePublished": "2017-04-24T18:00:00",
"dateReserved": "2017-04-24T00:00:00",
"dateUpdated": "2024-08-05T16:27:22.549Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2007-0544 (GCVE-0-2007-0544)
Vulnerability from cvelistv5
Published
2007-01-29 17:00
Modified
2024-08-07 12:19
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Cross-site scripting (XSS) vulnerability in private.php in MyBB (aka MyBulletinBoard) allows remote authenticated users to inject arbitrary web script or HTML via the Subject field, a different vector than CVE-2006-2949.
References
| ► | URL | Tags | ||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T12:19:30.529Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "mybb-subject-field-xss(31740)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/31740"
},
{
"name": "32967",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/32967"
},
{
"name": "22205",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/22205"
},
{
"name": "23934",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/23934"
},
{
"name": "20070124 [Aria-Security Team] MyBB Cross-Site Scripting",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/457929/100/0/threaded"
},
{
"name": "28837",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/28837"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2007-01-24T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in private.php in MyBB (aka MyBulletinBoard) allows remote authenticated users to inject arbitrary web script or HTML via the Subject field, a different vector than CVE-2006-2949."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-16T14:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "mybb-subject-field-xss(31740)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/31740"
},
{
"name": "32967",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/32967"
},
{
"name": "22205",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/22205"
},
{
"name": "23934",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/23934"
},
{
"name": "20070124 [Aria-Security Team] MyBB Cross-Site Scripting",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/457929/100/0/threaded"
},
{
"name": "28837",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/28837"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2007-0544",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in private.php in MyBB (aka MyBulletinBoard) allows remote authenticated users to inject arbitrary web script or HTML via the Subject field, a different vector than CVE-2006-2949."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "mybb-subject-field-xss(31740)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/31740"
},
{
"name": "32967",
"refsource": "OSVDB",
"url": "http://osvdb.org/32967"
},
{
"name": "22205",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/22205"
},
{
"name": "23934",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/23934"
},
{
"name": "20070124 [Aria-Security Team] MyBB Cross-Site Scripting",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/457929/100/0/threaded"
},
{
"name": "28837",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/28837"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2007-0544",
"datePublished": "2007-01-29T17:00:00",
"dateReserved": "2007-01-29T00:00:00",
"dateUpdated": "2024-08-07T12:19:30.529Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-9402 (GCVE-0-2016-9402)
Vulnerability from cvelistv5
Published
2017-01-31 22:00
Modified
2024-08-06 02:50
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
SQL injection vulnerability in the moderation tool in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 might allow remote attackers to execute arbitrary SQL commands via unspecified vectors.
References
| ► | URL | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T02:50:38.224Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "94395",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/94395"
},
{
"name": "[oss-security] 20161117 Re: CVE request: MyBB multiple vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/18/1"
},
{
"name": "[oss-security] 20161110 CVE request: MyBB multiple vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/10/8"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://blog.mybb.com/2016/03/11/mybb-1-8-7-merge-system-1-8-7-release/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-03-11T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in the moderation tool in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 might allow remote attackers to execute arbitrary SQL commands via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-02-01T10:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "94395",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/94395"
},
{
"name": "[oss-security] 20161117 Re: CVE request: MyBB multiple vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/18/1"
},
{
"name": "[oss-security] 20161110 CVE request: MyBB multiple vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/10/8"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://blog.mybb.com/2016/03/11/mybb-1-8-7-merge-system-1-8-7-release/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-9402",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SQL injection vulnerability in the moderation tool in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 might allow remote attackers to execute arbitrary SQL commands via unspecified vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "94395",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/94395"
},
{
"name": "[oss-security] 20161117 Re: CVE request: MyBB multiple vulnerabilities",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2016/11/18/1"
},
{
"name": "[oss-security] 20161110 CVE request: MyBB multiple vulnerabilities",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2016/11/10/8"
},
{
"name": "https://blog.mybb.com/2016/03/11/mybb-1-8-7-merge-system-1-8-7-release/",
"refsource": "CONFIRM",
"url": "https://blog.mybb.com/2016/03/11/mybb-1-8-7-merge-system-1-8-7-release/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-9402",
"datePublished": "2017-01-31T22:00:00",
"dateReserved": "2016-11-17T00:00:00",
"dateUpdated": "2024-08-06T02:50:38.224Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-39265 (GCVE-0-2022-39265)
Vulnerability from cvelistv5
Published
2022-10-06 00:00
Modified
2025-04-22 17:19
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Summary
MyBB is a free and open source forum software. The _Mail Settings_ → Additional Parameters for PHP's mail() function mail_parameters setting value, in connection with the configured mail program's options and behavior, may allow access to sensitive information and Remote Code Execution (RCE). The vulnerable module requires Admin CP access with the `_Can manage settings?_` permission and may depend on configured file permissions. MyBB 1.8.31 resolves this issue with the commit `0cd318136a`. Users are advised to upgrade. There are no known workarounds for this vulnerability.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:00:43.494Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/mybb/mybb/security/advisories/GHSA-hxhm-rq9f-7xj7"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/mybb/mybb/commit/0cd318136a10b029bb5c8a8f6dddf39d87519797"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/mybb/mybb/blob/mybb_1830/install/resources/settings.xml#L2331-L2338"
},
{
"tags": [
"x_transferred"
],
"url": "https://mybb.com/versions/1.8.31/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-39265",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-22T15:41:09.812330Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-22T17:19:51.525Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mybb",
"vendor": "mybb",
"versions": [
{
"status": "affected",
"version": "\u003c 1.8.31"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "MyBB is a free and open source forum software. The _Mail Settings_ \u2192 Additional Parameters for PHP\u0027s mail() function mail_parameters setting value, in connection with the configured mail program\u0027s options and behavior, may allow access to sensitive information and Remote Code Execution (RCE). The vulnerable module requires Admin CP access with the `_Can manage settings?_` permission and may depend on configured file permissions. MyBB 1.8.31 resolves this issue with the commit `0cd318136a`. Users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-74",
"description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-10-11T00:00:00.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"url": "https://github.com/mybb/mybb/security/advisories/GHSA-hxhm-rq9f-7xj7"
},
{
"url": "https://github.com/mybb/mybb/commit/0cd318136a10b029bb5c8a8f6dddf39d87519797"
},
{
"url": "https://github.com/mybb/mybb/blob/mybb_1830/install/resources/settings.xml#L2331-L2338"
},
{
"url": "https://mybb.com/versions/1.8.31/"
}
],
"source": {
"advisory": "GHSA-hxhm-rq9f-7xj7",
"discovery": "UNKNOWN"
},
"title": "Mail settings\u0027 command parameter injection in mybb"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-39265",
"datePublished": "2022-10-06T00:00:00.000Z",
"dateReserved": "2022-09-02T00:00:00.000Z",
"dateUpdated": "2025-04-22T17:19:51.525Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-1840 (GCVE-0-2014-1840)
Vulnerability from cvelistv5
Published
2014-03-03 16:00
Modified
2024-08-06 09:50
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Cross-site scripting (XSS) vulnerability in Upload/search.php in MyBB 1.6.12 and earlier allows remote attackers to inject arbitrary web script or HTML via the keywords parameter in a do_search action, which is not properly handled in a forced SQL error message.
References
| ► | URL | Tags |
|---|---|---|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T09:50:11.072Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/125038/MyBB-1.6.12-POST-Cross-Site-Scripting.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://osandamalith.wordpress.com/2014/02/02/mybb-1-6-12-post-xss-0day/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-02-02T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in Upload/search.php in MyBB 1.6.12 and earlier allows remote attackers to inject arbitrary web script or HTML via the keywords parameter in a do_search action, which is not properly handled in a forced SQL error message."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-03-03T15:57:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/125038/MyBB-1.6.12-POST-Cross-Site-Scripting.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://osandamalith.wordpress.com/2014/02/02/mybb-1-6-12-post-xss-0day/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-1840",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in Upload/search.php in MyBB 1.6.12 and earlier allows remote attackers to inject arbitrary web script or HTML via the keywords parameter in a do_search action, which is not properly handled in a forced SQL error message."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://packetstormsecurity.com/files/125038/MyBB-1.6.12-POST-Cross-Site-Scripting.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/125038/MyBB-1.6.12-POST-Cross-Site-Scripting.html"
},
{
"name": "http://osandamalith.wordpress.com/2014/02/02/mybb-1-6-12-post-xss-0day/",
"refsource": "MISC",
"url": "http://osandamalith.wordpress.com/2014/02/02/mybb-1-6-12-post-xss-0day/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2014-1840",
"datePublished": "2014-03-03T16:00:00",
"dateReserved": "2014-02-02T00:00:00",
"dateUpdated": "2024-08-06T09:50:11.072Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2011-10018 (GCVE-0-2011-10018)
Vulnerability from cvelistv5
Published
2025-08-13 20:35
Modified
2025-08-14 14:08
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
myBB version 1.6.4 was distributed with an unauthorized backdoor embedded in the source code. The backdoor allowed remote attackers to execute arbitrary PHP code by injecting payloads into a specially crafted collapsed cookie. This vulnerability was introduced during packaging and was not part of the intended application logic. Exploitation requires no authentication and results in full compromise of the web server under the context of the web application.
References
| ► | URL | Tags |
|---|---|---|
|
|
||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| myBB Group | Forum Software |
Version: 1.6.4 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2011-10018",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-14T14:07:57.715204Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-14T14:08:01.308Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/mybb_backdoor.rb"
},
{
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/17949"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"index.php",
"collapsed cookie"
],
"product": "Forum Software",
"vendor": "myBB Group",
"versions": [
{
"status": "affected",
"version": "1.6.4"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "MyBB"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "myBB version 1.6.4 was distributed with an unauthorized backdoor embedded in the source code. The backdoor allowed remote attackers to execute arbitrary PHP code by injecting payloads into a specially crafted collapsed cookie. This vulnerability was introduced during packaging and was not part of the intended application logic. Exploitation requires no authentication and results in full compromise of the web server under the context of the web application."
}
],
"value": "myBB version 1.6.4 was distributed with an unauthorized backdoor embedded in the source code. The backdoor allowed remote attackers to execute arbitrary PHP code by injecting payloads into a specially crafted collapsed cookie. This vulnerability was introduced during packaging and was not part of the intended application logic. Exploitation requires no authentication and results in full compromise of the web server under the context of the web application."
}
],
"impacts": [
{
"capecId": "CAPEC-242",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-242 Code Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-912",
"description": "CWE-912 Hidden Functionality",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-13T20:35:31.755Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/mybb_backdoor.rb"
},
{
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/17949"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://web.archive.org/web/20111015224948/http://secunia.com/advisories/46300/"
},
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://blog.mybb.com/2011/10/06/1-6-4-security-vulnerabilit/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/mybb-backdoor-arbitrary-command-execution"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "myBB 1.6.4 Backdoor Arbitrary Command Execution",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2011-10018",
"datePublished": "2025-08-13T20:35:31.755Z",
"dateReserved": "2025-08-13T17:52:08.905Z",
"dateUpdated": "2025-08-14T14:08:01.308Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-19201 (GCVE-0-2018-19201)
Vulnerability from cvelistv5
Published
2019-03-29 18:58
Modified
2024-08-05 11:30
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
A reflected XSS vulnerability in the ModCP Profile Editor in MyBB before 1.8.20 allows remote attackers to inject JavaScript via the 'username' parameter.
References
| ► | URL | Tags |
|---|---|---|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T11:30:04.028Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://blog.mybb.com/2019/02/27/mybb-1-8-20-released-security-maintenance-release/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/mybb/mybb/blob/feature/SECURITY.md#technical-details-of-known-issues"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2019-02-27T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "A reflected XSS vulnerability in the ModCP Profile Editor in MyBB before 1.8.20 allows remote attackers to inject JavaScript via the \u0027username\u0027 parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-04-11T20:03:34",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://blog.mybb.com/2019/02/27/mybb-1-8-20-released-security-maintenance-release/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mybb/mybb/blob/feature/SECURITY.md#technical-details-of-known-issues"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-19201",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A reflected XSS vulnerability in the ModCP Profile Editor in MyBB before 1.8.20 allows remote attackers to inject JavaScript via the \u0027username\u0027 parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://blog.mybb.com/2019/02/27/mybb-1-8-20-released-security-maintenance-release/",
"refsource": "CONFIRM",
"url": "https://blog.mybb.com/2019/02/27/mybb-1-8-20-released-security-maintenance-release/"
},
{
"name": "https://github.com/mybb/mybb/blob/feature/SECURITY.md#technical-details-of-known-issues",
"refsource": "CONFIRM",
"url": "https://github.com/mybb/mybb/blob/feature/SECURITY.md#technical-details-of-known-issues"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-19201",
"datePublished": "2019-03-29T18:58:41",
"dateReserved": "2018-11-12T00:00:00",
"dateUpdated": "2024-08-05T11:30:04.028Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-12831 (GCVE-0-2019-12831)
Vulnerability from cvelistv5
Published
2019-06-15 17:05
Modified
2024-08-04 23:32
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
In MyBB before 1.8.21, an attacker can abuse a default behavior of MySQL on many systems (that leads to truncation of strings that are too long for a database column) to create a PHP shell in the cache directory of a targeted forum via a crafted XML import, as demonstrated by truncation of aaaaaaaaaaaaaaaaaaaaaaaaaa.php.css to aaaaaaaaaaaaaaaaaaaaaaaaaa.php with a 30-character limit, aka theme import stylesheet name RCE.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T23:32:55.221Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://blog.ripstech.com/2019/mybb-stored-xss-to-rce/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://blog.mybb.com/2019/06/10/mybb-1-8-21-released-security-maintenance-release/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In MyBB before 1.8.21, an attacker can abuse a default behavior of MySQL on many systems (that leads to truncation of strings that are too long for a database column) to create a PHP shell in the cache directory of a targeted forum via a crafted XML import, as demonstrated by truncation of aaaaaaaaaaaaaaaaaaaaaaaaaa.php.css to aaaaaaaaaaaaaaaaaaaaaaaaaa.php with a 30-character limit, aka theme import stylesheet name RCE."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-06-15T17:05:08",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://blog.ripstech.com/2019/mybb-stored-xss-to-rce/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://blog.mybb.com/2019/06/10/mybb-1-8-21-released-security-maintenance-release/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-12831",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In MyBB before 1.8.21, an attacker can abuse a default behavior of MySQL on many systems (that leads to truncation of strings that are too long for a database column) to create a PHP shell in the cache directory of a targeted forum via a crafted XML import, as demonstrated by truncation of aaaaaaaaaaaaaaaaaaaaaaaaaa.php.css to aaaaaaaaaaaaaaaaaaaaaaaaaa.php with a 30-character limit, aka theme import stylesheet name RCE."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://blog.ripstech.com/2019/mybb-stored-xss-to-rce/",
"refsource": "MISC",
"url": "https://blog.ripstech.com/2019/mybb-stored-xss-to-rce/"
},
{
"name": "https://blog.mybb.com/2019/06/10/mybb-1-8-21-released-security-maintenance-release/",
"refsource": "MISC",
"url": "https://blog.mybb.com/2019/06/10/mybb-1-8-21-released-security-maintenance-release/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-12831",
"datePublished": "2019-06-15T17:05:08",
"dateReserved": "2019-06-15T00:00:00",
"dateUpdated": "2024-08-04T23:32:55.221Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2007-2212 (GCVE-0-2007-2212)
Vulnerability from cvelistv5
Published
2007-04-24 20:00
Modified
2024-08-07 13:23
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Multiple SQL injection vulnerabilities in calendar.php in MyBB (aka MyBulletinBoard) 1.2.5 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) year or (2) month parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T13:23:51.169Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "mybb-calendar-sql-injection(33814)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/33814"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2007-04-23T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple SQL injection vulnerabilities in calendar.php in MyBB (aka MyBulletinBoard) 1.2.5 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) year or (2) month parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-07-28T12:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "mybb-calendar-sql-injection(33814)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/33814"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2007-2212",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple SQL injection vulnerabilities in calendar.php in MyBB (aka MyBulletinBoard) 1.2.5 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) year or (2) month parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "mybb-calendar-sql-injection(33814)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/33814"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2007-2212",
"datePublished": "2007-04-24T20:00:00",
"dateReserved": "2007-04-24T00:00:00",
"dateUpdated": "2024-08-07T13:23:51.169Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-48941 (GCVE-0-2025-48941)
Vulnerability from cvelistv5
Published
2025-06-02 15:58
Modified
2025-06-02 16:07
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-1230 - Exposure of Sensitive Information Through Metadata
Summary
MyBB is free and open source forum software. Prior to version 1.8.39, the search component does not validate permissions correctly, which allows attackers to determine the existence of hidden (draft, unapproved, or soft-deleted) threads containing specified text in the title. The visibility state (`mybb_threads.visible` integer column) of threads is not validated in internal search queries, whose result is used to output a general success or failure of the search. While MyBB validates permissions when displaying the final search results, a search operation that internally produces at least one result outputs a redirect response (as a HTTP redirect, or a success message page with delayed redirect, depending on configuration). On the other hand, a search operation that internally produces no results outputs a corresponding message in the response without a redirect. This allows a user to determine whether threads matching title search parameters exist, including draft threads (`visible` with a value of `-2`), soft-deleted threads (`visible` with a value of `-1`), and unapproved threads (`visible` with a value of `0`); in addition to displaying generally visible threads (`visible` with a value of `1`). This vulnerability does not affect other layers of permissions. In order to exploit the vulnerability, the user must have access to the search functionality, and general access to forums containing the thread(s). The vulnerability does not expose the message content of posts. MyBB 1.8.39 resolves this issue.
References
| ► | URL | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-48941",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-02T16:06:50.510582Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-02T16:07:10.790Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mybb",
"vendor": "mybb",
"versions": [
{
"status": "affected",
"version": "\u003c 1.8.39"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "MyBB is free and open source forum software. Prior to version 1.8.39, the search component does not validate permissions correctly, which allows attackers to determine the existence of hidden (draft, unapproved, or soft-deleted) threads containing specified text in the title. The visibility state (`mybb_threads.visible` integer column) of threads is not validated in internal search queries, whose result is used to output a general success or failure of the search. While MyBB validates permissions when displaying the final search results, a search operation that internally produces at least one result outputs a redirect response (as a HTTP redirect, or a success message page with delayed redirect, depending on configuration). On the other hand, a search operation that internally produces no results outputs a corresponding message in the response without a redirect. This allows a user to determine whether threads matching title search parameters exist, including draft threads (`visible` with a value of `-2`), soft-deleted threads (`visible` with a value of `-1`), and unapproved threads (`visible` with a value of `0`); in addition to displaying generally visible threads (`visible` with a value of `1`). This vulnerability does not affect other layers of permissions. In order to exploit the vulnerability, the user must have access to the search functionality, and general access to forums containing the thread(s). The vulnerability does not expose the message content of posts. MyBB 1.8.39 resolves this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1230",
"description": "CWE-1230: Exposure of Sensitive Information Through Metadata",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-02T15:58:49.498Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mybb/mybb/security/advisories/GHSA-f847-57xc-ffwr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mybb/mybb/security/advisories/GHSA-f847-57xc-ffwr"
},
{
"name": "https://github.com/mybb/mybb/commit/b8cc332a27e145c33effaccec90e23c103ae5193",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mybb/mybb/commit/b8cc332a27e145c33effaccec90e23c103ae5193"
},
{
"name": "https://mybb.com/versions/1.8.39",
"tags": [
"x_refsource_MISC"
],
"url": "https://mybb.com/versions/1.8.39"
}
],
"source": {
"advisory": "GHSA-f847-57xc-ffwr",
"discovery": "UNKNOWN"
},
"title": "MyBB may disclosure unviewable threads\u0027 titles in searches"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-48941",
"datePublished": "2025-06-02T15:58:49.498Z",
"dateReserved": "2025-05-28T18:49:07.581Z",
"dateUpdated": "2025-06-02T16:07:10.790Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-9403 (GCVE-0-2016-9403)
Vulnerability from cvelistv5
Published
2017-01-31 22:00
Modified
2024-08-06 02:50
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
newreply.php in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 allows remote attackers to have unspecified impact by leveraging a missing permission check.
References
| ► | URL | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T02:50:37.623Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "94395",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/94395"
},
{
"name": "[oss-security] 20161117 Re: CVE request: MyBB multiple vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/18/1"
},
{
"name": "[oss-security] 20161110 CVE request: MyBB multiple vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/10/8"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://blog.mybb.com/2016/03/11/mybb-1-8-7-merge-system-1-8-7-release/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-03-11T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "newreply.php in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 allows remote attackers to have unspecified impact by leveraging a missing permission check."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-02-01T10:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "94395",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/94395"
},
{
"name": "[oss-security] 20161117 Re: CVE request: MyBB multiple vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/18/1"
},
{
"name": "[oss-security] 20161110 CVE request: MyBB multiple vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/10/8"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://blog.mybb.com/2016/03/11/mybb-1-8-7-merge-system-1-8-7-release/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-9403",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "newreply.php in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 allows remote attackers to have unspecified impact by leveraging a missing permission check."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "94395",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/94395"
},
{
"name": "[oss-security] 20161117 Re: CVE request: MyBB multiple vulnerabilities",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2016/11/18/1"
},
{
"name": "[oss-security] 20161110 CVE request: MyBB multiple vulnerabilities",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2016/11/10/8"
},
{
"name": "https://blog.mybb.com/2016/03/11/mybb-1-8-7-merge-system-1-8-7-release/",
"refsource": "CONFIRM",
"url": "https://blog.mybb.com/2016/03/11/mybb-1-8-7-merge-system-1-8-7-release/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-9403",
"datePublished": "2017-01-31T22:00:00",
"dateReserved": "2016-11-17T00:00:00",
"dateUpdated": "2024-08-06T02:50:37.623Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-27947 (GCVE-0-2021-27947)
Vulnerability from cvelistv5
Published
2021-03-15 17:10
Modified
2024-08-03 21:33
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
SQL Injection vulnerability in MyBB before 1.8.26 via the Copy Forum feature in Forum Management. (issue 2 of 3).
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:33:16.403Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/mybb/mybb/security/advisories/GHSA-jjx8-8mcp-7h65"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SQL Injection vulnerability in MyBB before 1.8.26 via the Copy Forum feature in Forum Management. (issue 2 of 3)."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-03-15T17:14:32",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mybb/mybb/security/advisories/GHSA-jjx8-8mcp-7h65"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-27947",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SQL Injection vulnerability in MyBB before 1.8.26 via the Copy Forum feature in Forum Management. (issue 2 of 3)."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/mybb/mybb/security/advisories/GHSA-jjx8-8mcp-7h65",
"refsource": "MISC",
"url": "https://github.com/mybb/mybb/security/advisories/GHSA-jjx8-8mcp-7h65"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-27947",
"datePublished": "2021-03-15T17:10:33",
"dateReserved": "2021-03-04T00:00:00",
"dateUpdated": "2024-08-03T21:33:16.403Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2010-4627 (GCVE-0-2010-4627)
Vulnerability from cvelistv5
Published
2010-12-30 20:00
Modified
2024-08-07 03:51
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Cross-site request forgery (CSRF) vulnerability in usercp2.php in MyBB (aka MyBulletinBoard) before 1.4.12 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.
References
| ► | URL | Tags | ||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T03:51:17.971Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://blog.mybb.com/2010/04/13/mybb-1-4-12-released-security-maintenance-update/"
},
{
"name": "[oss-security] 20101008 CVE request: mybb before 1.4.11 and before 1.4.12",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://openwall.com/lists/oss-security/2010/10/08/7"
},
{
"name": "[oss-security] 20101011 Re: CVE request: mybb before 1.4.11 and before 1.4.12",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://openwall.com/lists/oss-security/2010/10/11/8"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://dev.mybboard.net/issues/852"
},
{
"name": "[oss-security] 20101206 Re: CVE request: mybb before 1.4.11 and before 1.4.12",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://openwall.com/lists/oss-security/2010/12/06/2"
},
{
"name": "mybb-usercp2-csrf(64515)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/64515"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2010-04-13T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site request forgery (CSRF) vulnerability in usercp2.php in MyBB (aka MyBulletinBoard) before 1.4.12 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-16T14:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://blog.mybb.com/2010/04/13/mybb-1-4-12-released-security-maintenance-update/"
},
{
"name": "[oss-security] 20101008 CVE request: mybb before 1.4.11 and before 1.4.12",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://openwall.com/lists/oss-security/2010/10/08/7"
},
{
"name": "[oss-security] 20101011 Re: CVE request: mybb before 1.4.11 and before 1.4.12",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://openwall.com/lists/oss-security/2010/10/11/8"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://dev.mybboard.net/issues/852"
},
{
"name": "[oss-security] 20101206 Re: CVE request: mybb before 1.4.11 and before 1.4.12",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://openwall.com/lists/oss-security/2010/12/06/2"
},
{
"name": "mybb-usercp2-csrf(64515)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/64515"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2010-4627",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site request forgery (CSRF) vulnerability in usercp2.php in MyBB (aka MyBulletinBoard) before 1.4.12 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://blog.mybb.com/2010/04/13/mybb-1-4-12-released-security-maintenance-update/",
"refsource": "CONFIRM",
"url": "http://blog.mybb.com/2010/04/13/mybb-1-4-12-released-security-maintenance-update/"
},
{
"name": "[oss-security] 20101008 CVE request: mybb before 1.4.11 and before 1.4.12",
"refsource": "MLIST",
"url": "http://openwall.com/lists/oss-security/2010/10/08/7"
},
{
"name": "[oss-security] 20101011 Re: CVE request: mybb before 1.4.11 and before 1.4.12",
"refsource": "MLIST",
"url": "http://openwall.com/lists/oss-security/2010/10/11/8"
},
{
"name": "http://dev.mybboard.net/issues/852",
"refsource": "CONFIRM",
"url": "http://dev.mybboard.net/issues/852"
},
{
"name": "[oss-security] 20101206 Re: CVE request: mybb before 1.4.11 and before 1.4.12",
"refsource": "MLIST",
"url": "http://openwall.com/lists/oss-security/2010/12/06/2"
},
{
"name": "mybb-usercp2-csrf(64515)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/64515"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2010-4627",
"datePublished": "2010-12-30T20:00:00",
"dateReserved": "2010-12-30T00:00:00",
"dateUpdated": "2024-08-07T03:51:17.971Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-27890 (GCVE-0-2021-27890)
Vulnerability from cvelistv5
Published
2021-03-15 17:04
Modified
2024-08-03 21:33
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
SQL Injection vulnerablity in MyBB before 1.8.26 via theme properties included in theme XML files.
References
| ► | URL | Tags |
|---|---|---|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:33:16.401Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/mybb/mybb/security/advisories/GHSA-r34m-ccm8-mfhq"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/161908/MyBB-1.8.25-Remote-Command-Execution.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://blog.sonarsource.com/mybb-remote-code-execution-chain"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SQL Injection vulnerablity in MyBB before 1.8.26 via theme properties included in theme XML files."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-08-20T18:17:30",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mybb/mybb/security/advisories/GHSA-r34m-ccm8-mfhq"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/161908/MyBB-1.8.25-Remote-Command-Execution.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://blog.sonarsource.com/mybb-remote-code-execution-chain"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-27890",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SQL Injection vulnerablity in MyBB before 1.8.26 via theme properties included in theme XML files."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/mybb/mybb/security/advisories/GHSA-r34m-ccm8-mfhq",
"refsource": "MISC",
"url": "https://github.com/mybb/mybb/security/advisories/GHSA-r34m-ccm8-mfhq"
},
{
"name": "http://packetstormsecurity.com/files/161908/MyBB-1.8.25-Remote-Command-Execution.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/161908/MyBB-1.8.25-Remote-Command-Execution.html"
},
{
"name": "https://blog.sonarsource.com/mybb-remote-code-execution-chain",
"refsource": "MISC",
"url": "https://blog.sonarsource.com/mybb-remote-code-execution-chain"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-27890",
"datePublished": "2021-03-15T17:04:13",
"dateReserved": "2021-03-02T00:00:00",
"dateUpdated": "2024-08-03T21:33:16.401Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2007-1963 (GCVE-0-2007-1963)
Vulnerability from cvelistv5
Published
2007-04-11 10:00
Modified
2024-08-07 13:13
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
SQL injection vulnerability in the create_session function in class_session.php in MyBB (aka MyBulletinBoard) 1.2.3 and earlier allows remote attackers to execute arbitrary SQL commands via the Client-IP HTTP header, as utilized by index.php, a related issue to CVE-2006-3775.
References
| ► | URL | Tags | |||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T13:13:42.000Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://community.mybboard.net/showthread.php?tid=18002"
},
{
"name": "24689",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/24689"
},
{
"name": "ADV-2007-1244",
"tags": [
"vdb-entry",
"x_refsource_VUPEN",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2007/1244"
},
{
"name": "3653",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/3653"
},
{
"name": "34657",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/34657"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://community.mybboard.net/attachment.php?aid=5842"
},
{
"name": "20070403 MyBulletinBoard (MyBB) \u003c= 1.2.3 Remote Code Execution Exploit",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/464563/100/0/threaded"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2007-04-03T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in the create_session function in class_session.php in MyBB (aka MyBulletinBoard) 1.2.3 and earlier allows remote attackers to execute arbitrary SQL commands via the Client-IP HTTP header, as utilized by index.php, a related issue to CVE-2006-3775."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-16T14:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://community.mybboard.net/showthread.php?tid=18002"
},
{
"name": "24689",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/24689"
},
{
"name": "ADV-2007-1244",
"tags": [
"vdb-entry",
"x_refsource_VUPEN"
],
"url": "http://www.vupen.com/english/advisories/2007/1244"
},
{
"name": "3653",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "https://www.exploit-db.com/exploits/3653"
},
{
"name": "34657",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/34657"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://community.mybboard.net/attachment.php?aid=5842"
},
{
"name": "20070403 MyBulletinBoard (MyBB) \u003c= 1.2.3 Remote Code Execution Exploit",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/464563/100/0/threaded"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2007-1963",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SQL injection vulnerability in the create_session function in class_session.php in MyBB (aka MyBulletinBoard) 1.2.3 and earlier allows remote attackers to execute arbitrary SQL commands via the Client-IP HTTP header, as utilized by index.php, a related issue to CVE-2006-3775."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://community.mybboard.net/showthread.php?tid=18002",
"refsource": "CONFIRM",
"url": "http://community.mybboard.net/showthread.php?tid=18002"
},
{
"name": "24689",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/24689"
},
{
"name": "ADV-2007-1244",
"refsource": "VUPEN",
"url": "http://www.vupen.com/english/advisories/2007/1244"
},
{
"name": "3653",
"refsource": "EXPLOIT-DB",
"url": "https://www.exploit-db.com/exploits/3653"
},
{
"name": "34657",
"refsource": "OSVDB",
"url": "http://osvdb.org/34657"
},
{
"name": "http://community.mybboard.net/attachment.php?aid=5842",
"refsource": "CONFIRM",
"url": "http://community.mybboard.net/attachment.php?aid=5842"
},
{
"name": "20070403 MyBulletinBoard (MyBB) \u003c= 1.2.3 Remote Code Execution Exploit",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/464563/100/0/threaded"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2007-1963",
"datePublished": "2007-04-11T10:00:00",
"dateReserved": "2007-04-10T00:00:00",
"dateUpdated": "2024-08-07T13:13:42.000Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-29457 (GCVE-0-2025-29457)
Vulnerability from cvelistv5
Published
2025-04-17 00:00
Modified
2025-04-23 12:59
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
An issue in MyBB 1.8.38 allows a remote attacker to obtain sensitive information via the Import a Theme function. NOTE: the Supplier disputes this because of the allowed actions of Board administrators and because of SSRF mitigation.
References
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-29457",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-18T15:45:39.959105Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-18T15:46:13.194Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue in MyBB 1.8.38 allows a remote attacker to obtain sensitive information via the Import a Theme function. NOTE: the Supplier disputes this because of the allowed actions of Board administrators and because of SSRF mitigation."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T12:59:36.907Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.yuque.com/morysummer/vx41bz/vro4dvxzuiwlg6uv"
},
{
"url": "https://docs.mybb.com/1.8/administration/security/protection/#limit-access-to-private-hosts-and-ip-addresses"
}
],
"tags": [
"disputed"
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-29457",
"datePublished": "2025-04-17T00:00:00.000Z",
"dateReserved": "2025-03-11T00:00:00.000Z",
"dateUpdated": "2025-04-23T12:59:36.907Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2005-4199 (GCVE-0-2005-4199)
Vulnerability from cvelistv5
Published
2005-12-13 11:00
Modified
2024-08-07 23:38
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Multiple SQL injection vulnerabilities in MyBulletinBoard (MyBB) before 1.0 allow remote attackers to execute arbitrary SQL commands via the (1) month, (2) day, and (3) year parameters in an addevent action in calendar.php; (4) threadmode and (5) showcodebuttons in an options action in usercp.php; (6) list parameter in an editlists action to usercp.php; (7) rating parameter in a rate action in member.php; and (8) rating parameter in either showthread.php or ratethread.php.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T23:38:51.520Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "15793",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/15793"
},
{
"name": "22158",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://www.osvdb.org/22158"
},
{
"name": "18000",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/18000"
},
{
"name": "22156",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://www.osvdb.org/22156"
},
{
"name": "20051209 [TKPN2005-12-001] Multiple critical vulnerabilities in MyBB",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/419067/100/0/threaded"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.trapkit.de/advisories/TKPN2005-12-001.txt"
},
{
"name": "246",
"tags": [
"third-party-advisory",
"x_refsource_SREASON",
"x_transferred"
],
"url": "http://securityreason.com/securityalert/246"
},
{
"name": "1015407",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://securitytracker.com/id?1015407"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://community.mybboard.net/showthread.php?tid=5184\u0026pid=30964#pid30964"
},
{
"name": "20051209 [TKPN2005-12-001] Multiple critical vulnerabilities in MyBB",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://archives.neohapsis.com/archives/fulldisclosure/2005-12/0379.html"
},
{
"name": "22157",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://www.osvdb.org/22157"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.trapkit.de/advisories/TKADV2005-12-001.txt"
},
{
"name": "20051223 [TKADV2005-12-001] Multiple SQL Injection vulnerabilities in MyBB",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/420159/100/0/threaded"
},
{
"name": "294",
"tags": [
"third-party-advisory",
"x_refsource_SREASON",
"x_transferred"
],
"url": "http://securityreason.com/securityalert/294"
},
{
"name": "ADV-2005-2842",
"tags": [
"vdb-entry",
"x_refsource_VUPEN",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2005/2842"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2005-12-09T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple SQL injection vulnerabilities in MyBulletinBoard (MyBB) before 1.0 allow remote attackers to execute arbitrary SQL commands via the (1) month, (2) day, and (3) year parameters in an addevent action in calendar.php; (4) threadmode and (5) showcodebuttons in an options action in usercp.php; (6) list parameter in an editlists action to usercp.php; (7) rating parameter in a rate action in member.php; and (8) rating parameter in either showthread.php or ratethread.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-19T14:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "15793",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/15793"
},
{
"name": "22158",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://www.osvdb.org/22158"
},
{
"name": "18000",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/18000"
},
{
"name": "22156",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://www.osvdb.org/22156"
},
{
"name": "20051209 [TKPN2005-12-001] Multiple critical vulnerabilities in MyBB",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/419067/100/0/threaded"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.trapkit.de/advisories/TKPN2005-12-001.txt"
},
{
"name": "246",
"tags": [
"third-party-advisory",
"x_refsource_SREASON"
],
"url": "http://securityreason.com/securityalert/246"
},
{
"name": "1015407",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://securitytracker.com/id?1015407"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://community.mybboard.net/showthread.php?tid=5184\u0026pid=30964#pid30964"
},
{
"name": "20051209 [TKPN2005-12-001] Multiple critical vulnerabilities in MyBB",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://archives.neohapsis.com/archives/fulldisclosure/2005-12/0379.html"
},
{
"name": "22157",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://www.osvdb.org/22157"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.trapkit.de/advisories/TKADV2005-12-001.txt"
},
{
"name": "20051223 [TKADV2005-12-001] Multiple SQL Injection vulnerabilities in MyBB",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/420159/100/0/threaded"
},
{
"name": "294",
"tags": [
"third-party-advisory",
"x_refsource_SREASON"
],
"url": "http://securityreason.com/securityalert/294"
},
{
"name": "ADV-2005-2842",
"tags": [
"vdb-entry",
"x_refsource_VUPEN"
],
"url": "http://www.vupen.com/english/advisories/2005/2842"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2005-4199",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple SQL injection vulnerabilities in MyBulletinBoard (MyBB) before 1.0 allow remote attackers to execute arbitrary SQL commands via the (1) month, (2) day, and (3) year parameters in an addevent action in calendar.php; (4) threadmode and (5) showcodebuttons in an options action in usercp.php; (6) list parameter in an editlists action to usercp.php; (7) rating parameter in a rate action in member.php; and (8) rating parameter in either showthread.php or ratethread.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "15793",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/15793"
},
{
"name": "22158",
"refsource": "OSVDB",
"url": "http://www.osvdb.org/22158"
},
{
"name": "18000",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/18000"
},
{
"name": "22156",
"refsource": "OSVDB",
"url": "http://www.osvdb.org/22156"
},
{
"name": "20051209 [TKPN2005-12-001] Multiple critical vulnerabilities in MyBB",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/419067/100/0/threaded"
},
{
"name": "http://www.trapkit.de/advisories/TKPN2005-12-001.txt",
"refsource": "MISC",
"url": "http://www.trapkit.de/advisories/TKPN2005-12-001.txt"
},
{
"name": "246",
"refsource": "SREASON",
"url": "http://securityreason.com/securityalert/246"
},
{
"name": "1015407",
"refsource": "SECTRACK",
"url": "http://securitytracker.com/id?1015407"
},
{
"name": "http://community.mybboard.net/showthread.php?tid=5184\u0026pid=30964#pid30964",
"refsource": "CONFIRM",
"url": "http://community.mybboard.net/showthread.php?tid=5184\u0026pid=30964#pid30964"
},
{
"name": "20051209 [TKPN2005-12-001] Multiple critical vulnerabilities in MyBB",
"refsource": "FULLDISC",
"url": "http://archives.neohapsis.com/archives/fulldisclosure/2005-12/0379.html"
},
{
"name": "22157",
"refsource": "OSVDB",
"url": "http://www.osvdb.org/22157"
},
{
"name": "http://www.trapkit.de/advisories/TKADV2005-12-001.txt",
"refsource": "MISC",
"url": "http://www.trapkit.de/advisories/TKADV2005-12-001.txt"
},
{
"name": "20051223 [TKADV2005-12-001] Multiple SQL Injection vulnerabilities in MyBB",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/420159/100/0/threaded"
},
{
"name": "294",
"refsource": "SREASON",
"url": "http://securityreason.com/securityalert/294"
},
{
"name": "ADV-2005-2842",
"refsource": "VUPEN",
"url": "http://www.vupen.com/english/advisories/2005/2842"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2005-4199",
"datePublished": "2005-12-13T11:00:00",
"dateReserved": "2005-12-13T00:00:00",
"dateUpdated": "2024-08-07T23:38:51.520Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2012-5909 (GCVE-0-2012-5909)
Vulnerability from cvelistv5
Published
2012-11-17 21:00
Modified
2024-08-06 21:21
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
SQL injection vulnerability in admin/modules/user/users.php in MyBB (aka MyBulletinBoard) 1.6.6 allows remote attackers to execute arbitrary SQL commands via the conditions[usergroup][] parameter in a search action to admin/index.php.
References
| ► | URL | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T21:21:28.268Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "mybb-index-conditionsusergroup-sql-injection(74396)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/74396"
},
{
"name": "52743",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/52743"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.org/files/111238/MyBB-1.6.6-Cross-Site-Scripting-SQL-Injection.html"
},
{
"name": "80634",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/80634"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2012-03-27T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in admin/modules/user/users.php in MyBB (aka MyBulletinBoard) 1.6.6 allows remote attackers to execute arbitrary SQL commands via the conditions[usergroup][] parameter in a search action to admin/index.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-28T12:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "mybb-index-conditionsusergroup-sql-injection(74396)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/74396"
},
{
"name": "52743",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/52743"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.org/files/111238/MyBB-1.6.6-Cross-Site-Scripting-SQL-Injection.html"
},
{
"name": "80634",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/80634"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2012-5909",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SQL injection vulnerability in admin/modules/user/users.php in MyBB (aka MyBulletinBoard) 1.6.6 allows remote attackers to execute arbitrary SQL commands via the conditions[usergroup][] parameter in a search action to admin/index.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "mybb-index-conditionsusergroup-sql-injection(74396)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/74396"
},
{
"name": "52743",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/52743"
},
{
"name": "http://packetstormsecurity.org/files/111238/MyBB-1.6.6-Cross-Site-Scripting-SQL-Injection.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.org/files/111238/MyBB-1.6.6-Cross-Site-Scripting-SQL-Injection.html"
},
{
"name": "80634",
"refsource": "OSVDB",
"url": "http://osvdb.org/80634"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2012-5909",
"datePublished": "2012-11-17T21:00:00",
"dateReserved": "2012-11-17T00:00:00",
"dateUpdated": "2024-08-06T21:21:28.268Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-43707 (GCVE-0-2022-43707)
Vulnerability from cvelistv5
Published
2022-11-21 00:00
Modified
2025-04-29 14:16
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
MyBB 1.8.31 has a Cross-site scripting (XSS) vulnerability in the visual MyCode editor (SCEditor) allows remote attackers to inject HTML via user input or stored data
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T13:40:06.125Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mybb.com"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/mybb/mybb/security/advisories/GHSA-6vpw-m83q-27px"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-43707",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-29T14:15:48.697401Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-29T14:16:33.815Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "MyBB 1.8.31 has a Cross-site scripting (XSS) vulnerability in the visual MyCode editor (SCEditor) allows remote attackers to inject HTML via user input or stored data"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-21T00:00:00.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://mybb.com"
},
{
"url": "https://github.com/mybb/mybb/security/advisories/GHSA-6vpw-m83q-27px"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-43707",
"datePublished": "2022-11-21T00:00:00.000Z",
"dateReserved": "2022-10-24T00:00:00.000Z",
"dateUpdated": "2025-04-29T14:16:33.815Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-2786 (GCVE-0-2015-2786)
Vulnerability from cvelistv5
Published
2015-03-29 21:00
Modified
2024-08-06 05:24
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Unspecified vulnerability in MyBB (aka MyBulletinBoard) before 1.8.4 has unknown attack vectors related to "Group join request notifications sent to wrong group leaders."
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T05:24:38.933Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://blog.mybb.com/2015/02/15/mybb-1-8-4-released-feature-update-security-maintenance-release/"
},
{
"name": "73394",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/73394"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-02-15T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Unspecified vulnerability in MyBB (aka MyBulletinBoard) before 1.8.4 has unknown attack vectors related to \"Group join request notifications sent to wrong group leaders.\""
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2016-11-30T18:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://blog.mybb.com/2015/02/15/mybb-1-8-4-released-feature-update-security-maintenance-release/"
},
{
"name": "73394",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/73394"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-2786",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Unspecified vulnerability in MyBB (aka MyBulletinBoard) before 1.8.4 has unknown attack vectors related to \"Group join request notifications sent to wrong group leaders.\""
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://blog.mybb.com/2015/02/15/mybb-1-8-4-released-feature-update-security-maintenance-release/",
"refsource": "CONFIRM",
"url": "http://blog.mybb.com/2015/02/15/mybb-1-8-4-released-feature-update-security-maintenance-release/"
},
{
"name": "73394",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/73394"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-2786",
"datePublished": "2015-03-29T21:00:00",
"dateReserved": "2015-03-29T00:00:00",
"dateUpdated": "2024-08-06T05:24:38.933Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2008-3069 (GCVE-0-2008-3069)
Vulnerability from cvelistv5
Published
2008-07-08 18:00
Modified
2024-08-07 09:21
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Multiple cross-site scripting (XSS) vulnerabilities in MyBB before 1.2.13 allow remote attackers to inject arbitrary web script or HTML via unspecified parameters to (1) portal.php and (2) inc/functions_post.php.
References
| ► | URL | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T09:21:34.953Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://community.mybboard.net/attachment.php?aid=9272"
},
{
"name": "31013",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/31013"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://community.mybboard.net/showthread.php?tid=31666"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2008-05-21T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in MyBB before 1.2.13 allow remote attackers to inject arbitrary web script or HTML via unspecified parameters to (1) portal.php and (2) inc/functions_post.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2012-11-27T10:00:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://community.mybboard.net/attachment.php?aid=9272"
},
{
"name": "31013",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/31013"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://community.mybboard.net/showthread.php?tid=31666"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2008-3069",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in MyBB before 1.2.13 allow remote attackers to inject arbitrary web script or HTML via unspecified parameters to (1) portal.php and (2) inc/functions_post.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://community.mybboard.net/attachment.php?aid=9272",
"refsource": "CONFIRM",
"url": "http://community.mybboard.net/attachment.php?aid=9272"
},
{
"name": "31013",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/31013"
},
{
"name": "http://community.mybboard.net/showthread.php?tid=31666",
"refsource": "CONFIRM",
"url": "http://community.mybboard.net/showthread.php?tid=31666"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2008-3069",
"datePublished": "2008-07-08T18:00:00",
"dateReserved": "2008-07-08T00:00:00",
"dateUpdated": "2024-08-07T09:21:34.953Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-43709 (GCVE-0-2022-43709)
Vulnerability from cvelistv5
Published
2022-11-21 00:00
Modified
2025-04-29 14:12
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
MyBB 1.8.31 has a SQL injection vulnerability in the Admin CP's Users module allows remote authenticated users to modify the query string via direct user input or stored search filter settings.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T13:40:06.346Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mybb.com"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/mybb/mybb/security/advisories/GHSA-ggp5-454p-867v"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-43709",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-29T14:11:55.961688Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-29T14:12:48.349Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "MyBB 1.8.31 has a SQL injection vulnerability in the Admin CP\u0027s Users module allows remote authenticated users to modify the query string via direct user input or stored search filter settings."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-21T00:00:00.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://mybb.com"
},
{
"url": "https://github.com/mybb/mybb/security/advisories/GHSA-ggp5-454p-867v"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-43709",
"datePublished": "2022-11-21T00:00:00.000Z",
"dateReserved": "2022-10-24T00:00:00.000Z",
"dateUpdated": "2025-04-29T14:12:48.349Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2011-4569 (GCVE-0-2011-4569)
Vulnerability from cvelistv5
Published
2011-11-29 11:00
Modified
2024-08-07 00:09
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
SQL injection vulnerability in userbarsettings.php in the Userbar plugin 2.2 for MyBB Forum allows remote attackers to execute arbitrary SQL commands via the image2 parameter.
References
| ► | URL | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T00:09:19.028Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "50049",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/50049"
},
{
"name": "mybbforum-image2-sql-injection(70474)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/70474"
},
{
"name": "17962",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "http://www.exploit-db.com/exploits/17962"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2011-10-10T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in userbarsettings.php in the Userbar plugin 2.2 for MyBB Forum allows remote attackers to execute arbitrary SQL commands via the image2 parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-28T12:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "50049",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/50049"
},
{
"name": "mybbforum-image2-sql-injection(70474)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/70474"
},
{
"name": "17962",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "http://www.exploit-db.com/exploits/17962"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2011-4569",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SQL injection vulnerability in userbarsettings.php in the Userbar plugin 2.2 for MyBB Forum allows remote attackers to execute arbitrary SQL commands via the image2 parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "50049",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/50049"
},
{
"name": "mybbforum-image2-sql-injection(70474)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/70474"
},
{
"name": "17962",
"refsource": "EXPLOIT-DB",
"url": "http://www.exploit-db.com/exploits/17962"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2011-4569",
"datePublished": "2011-11-29T11:00:00",
"dateReserved": "2011-11-28T00:00:00",
"dateUpdated": "2024-08-07T00:09:19.028Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-9414 (GCVE-0-2016-9414)
Vulnerability from cvelistv5
Published
2017-01-31 22:00
Modified
2024-08-06 02:50
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 allow remote attackers to obtain sensitive information by leveraging missing directory listing protection in upload directories.
References
| ► | URL | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T02:50:37.918Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "94395",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/94395"
},
{
"name": "[oss-security] 20161117 Re: CVE request: MyBB multiple vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/18/1"
},
{
"name": "[oss-security] 20161110 CVE request: MyBB multiple vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/10/8"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://blog.mybb.com/2016/03/11/mybb-1-8-7-merge-system-1-8-7-release/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-03-11T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 allow remote attackers to obtain sensitive information by leveraging missing directory listing protection in upload directories."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-02-01T10:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "94395",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/94395"
},
{
"name": "[oss-security] 20161117 Re: CVE request: MyBB multiple vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/18/1"
},
{
"name": "[oss-security] 20161110 CVE request: MyBB multiple vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/10/8"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://blog.mybb.com/2016/03/11/mybb-1-8-7-merge-system-1-8-7-release/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-9414",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 allow remote attackers to obtain sensitive information by leveraging missing directory listing protection in upload directories."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "94395",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/94395"
},
{
"name": "[oss-security] 20161117 Re: CVE request: MyBB multiple vulnerabilities",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2016/11/18/1"
},
{
"name": "[oss-security] 20161110 CVE request: MyBB multiple vulnerabilities",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2016/11/10/8"
},
{
"name": "https://blog.mybb.com/2016/03/11/mybb-1-8-7-merge-system-1-8-7-release/",
"refsource": "CONFIRM",
"url": "https://blog.mybb.com/2016/03/11/mybb-1-8-7-merge-system-1-8-7-release/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-9414",
"datePublished": "2017-01-31T22:00:00",
"dateReserved": "2016-11-17T00:00:00",
"dateUpdated": "2024-08-06T02:50:37.918Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-9405 (GCVE-0-2016-9405)
Vulnerability from cvelistv5
Published
2017-01-31 22:00
Modified
2024-08-06 02:50
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Cross-site scripting (XSS) vulnerability in member validation in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 might allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
References
| ► | URL | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T02:50:37.882Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "94395",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/94395"
},
{
"name": "[oss-security] 20161117 Re: CVE request: MyBB multiple vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/18/1"
},
{
"name": "[oss-security] 20161110 CVE request: MyBB multiple vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/10/8"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://blog.mybb.com/2016/03/11/mybb-1-8-7-merge-system-1-8-7-release/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-03-11T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in member validation in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 might allow remote attackers to inject arbitrary web script or HTML via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-02-01T10:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "94395",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/94395"
},
{
"name": "[oss-security] 20161117 Re: CVE request: MyBB multiple vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/18/1"
},
{
"name": "[oss-security] 20161110 CVE request: MyBB multiple vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/10/8"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://blog.mybb.com/2016/03/11/mybb-1-8-7-merge-system-1-8-7-release/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-9405",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in member validation in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 might allow remote attackers to inject arbitrary web script or HTML via unspecified vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "94395",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/94395"
},
{
"name": "[oss-security] 20161117 Re: CVE request: MyBB multiple vulnerabilities",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2016/11/18/1"
},
{
"name": "[oss-security] 20161110 CVE request: MyBB multiple vulnerabilities",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2016/11/10/8"
},
{
"name": "https://blog.mybb.com/2016/03/11/mybb-1-8-7-merge-system-1-8-7-release/",
"refsource": "CONFIRM",
"url": "https://blog.mybb.com/2016/03/11/mybb-1-8-7-merge-system-1-8-7-release/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-9405",
"datePublished": "2017-01-31T22:00:00",
"dateReserved": "2016-11-17T00:00:00",
"dateUpdated": "2024-08-06T02:50:37.882Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-9408 (GCVE-0-2016-9408)
Vulnerability from cvelistv5
Published
2017-01-31 22:00
Modified
2024-08-06 02:50
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Cross-site scripting (XSS) vulnerability in the Mod control panel in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 might allow remote attackers to inject arbitrary web script or HTML via vectors involving editing users.
References
| ► | URL | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T02:50:37.699Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "94395",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/94395"
},
{
"name": "[oss-security] 20161117 Re: CVE request: MyBB multiple vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/18/1"
},
{
"name": "[oss-security] 20161110 CVE request: MyBB multiple vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/10/8"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://blog.mybb.com/2016/03/11/mybb-1-8-7-merge-system-1-8-7-release/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-03-11T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the Mod control panel in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 might allow remote attackers to inject arbitrary web script or HTML via vectors involving editing users."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-02-01T10:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "94395",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/94395"
},
{
"name": "[oss-security] 20161117 Re: CVE request: MyBB multiple vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/18/1"
},
{
"name": "[oss-security] 20161110 CVE request: MyBB multiple vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/10/8"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://blog.mybb.com/2016/03/11/mybb-1-8-7-merge-system-1-8-7-release/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-9408",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in the Mod control panel in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 might allow remote attackers to inject arbitrary web script or HTML via vectors involving editing users."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "94395",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/94395"
},
{
"name": "[oss-security] 20161117 Re: CVE request: MyBB multiple vulnerabilities",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2016/11/18/1"
},
{
"name": "[oss-security] 20161110 CVE request: MyBB multiple vulnerabilities",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2016/11/10/8"
},
{
"name": "https://blog.mybb.com/2016/03/11/mybb-1-8-7-merge-system-1-8-7-release/",
"refsource": "CONFIRM",
"url": "https://blog.mybb.com/2016/03/11/mybb-1-8-7-merge-system-1-8-7-release/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-9408",
"datePublished": "2017-01-31T22:00:00",
"dateReserved": "2016-11-17T00:00:00",
"dateUpdated": "2024-08-06T02:50:37.699Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-29458 (GCVE-0-2025-29458)
Vulnerability from cvelistv5
Published
2025-04-17 00:00
Modified
2025-04-23 13:01
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
An issue in MyBB 1.8.38 allows a remote attacker to obtain sensitive information via the Change Avatar function. NOTE: the Supplier disputes this because of the allowed actions of Board administrators and because of SSRF mitigation.
References
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-29458",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-18T15:44:36.560618Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-18T15:45:11.353Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue in MyBB 1.8.38 allows a remote attacker to obtain sensitive information via the Change Avatar function. NOTE: the Supplier disputes this because of the allowed actions of Board administrators and because of SSRF mitigation."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T13:01:06.479Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.yuque.com/morysummer/vx41bz/qu7zyyxr84qno64e"
},
{
"url": "https://docs.mybb.com/1.8/administration/security/protection/#limit-access-to-private-hosts-and-ip-addresses"
}
],
"tags": [
"disputed"
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-29458",
"datePublished": "2025-04-17T00:00:00.000Z",
"dateReserved": "2025-03-11T00:00:00.000Z",
"dateUpdated": "2025-04-23T13:01:06.479Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-7566 (GCVE-0-2017-7566)
Vulnerability from cvelistv5
Published
2017-04-06 16:00
Modified
2024-08-05 16:04
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
MyBB before 1.8.11 allows remote attackers to bypass an SSRF protection mechanism.
References
| ► | URL | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T16:04:12.021Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "97480",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/97480"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20170407-0_MyBB_SSRF_vulnerability_v10.txt"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/mybb/mybb/commit/f5de8fc2aad11e0d2583f585535ccfa2b46325db#diff-7fe6e55397c77ab9a0f5d57bc4cbe5b9R6781"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://blog.mybb.com/2017/04/04/mybb-1-8-11-merge-system-1-8-11-release/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-04-06T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "MyBB before 1.8.11 allows remote attackers to bypass an SSRF protection mechanism."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-04-09T16:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "97480",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/97480"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20170407-0_MyBB_SSRF_vulnerability_v10.txt"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mybb/mybb/commit/f5de8fc2aad11e0d2583f585535ccfa2b46325db#diff-7fe6e55397c77ab9a0f5d57bc4cbe5b9R6781"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://blog.mybb.com/2017/04/04/mybb-1-8-11-merge-system-1-8-11-release/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-7566",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "MyBB before 1.8.11 allows remote attackers to bypass an SSRF protection mechanism."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "97480",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/97480"
},
{
"name": "https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20170407-0_MyBB_SSRF_vulnerability_v10.txt",
"refsource": "MISC",
"url": "https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20170407-0_MyBB_SSRF_vulnerability_v10.txt"
},
{
"name": "https://github.com/mybb/mybb/commit/f5de8fc2aad11e0d2583f585535ccfa2b46325db#diff-7fe6e55397c77ab9a0f5d57bc4cbe5b9R6781",
"refsource": "CONFIRM",
"url": "https://github.com/mybb/mybb/commit/f5de8fc2aad11e0d2583f585535ccfa2b46325db#diff-7fe6e55397c77ab9a0f5d57bc4cbe5b9R6781"
},
{
"name": "https://blog.mybb.com/2017/04/04/mybb-1-8-11-merge-system-1-8-11-release/",
"refsource": "CONFIRM",
"url": "https://blog.mybb.com/2017/04/04/mybb-1-8-11-merge-system-1-8-11-release/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-7566",
"datePublished": "2017-04-06T16:00:00",
"dateReserved": "2017-04-06T00:00:00",
"dateUpdated": "2024-08-05T16:04:12.021Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2012-2325 (GCVE-0-2012-2325)
Vulnerability from cvelistv5
Published
2012-08-13 18:00
Modified
2024-09-16 23:55
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
SQL injection vulnerability in the User Inline Moderation feature in the Admin Control Panel (ACP) in MyBB (aka MyBulletinBoard) before 1.6.7 allows remote administrators to execute arbitrary SQL commands via unspecified vectors.
References
| ► | URL | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T19:34:25.401Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "53417",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/53417"
},
{
"name": "[oss-security] 20120507 CVE request: mybb before 1.6.7",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2012/05/07/13"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://blog.mybb.com/2012/04/01/mybb-1-6-7-update-1-8-development/"
},
{
"name": "[oss-security] 20120507 Re: CVE request: mybb before 1.6.7",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2012/05/07/14"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in the User Inline Moderation feature in the Admin Control Panel (ACP) in MyBB (aka MyBulletinBoard) before 1.6.7 allows remote administrators to execute arbitrary SQL commands via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2012-08-13T18:00:00Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "53417",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/53417"
},
{
"name": "[oss-security] 20120507 CVE request: mybb before 1.6.7",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2012/05/07/13"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://blog.mybb.com/2012/04/01/mybb-1-6-7-update-1-8-development/"
},
{
"name": "[oss-security] 20120507 Re: CVE request: mybb before 1.6.7",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2012/05/07/14"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2012-2325",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SQL injection vulnerability in the User Inline Moderation feature in the Admin Control Panel (ACP) in MyBB (aka MyBulletinBoard) before 1.6.7 allows remote administrators to execute arbitrary SQL commands via unspecified vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "53417",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/53417"
},
{
"name": "[oss-security] 20120507 CVE request: mybb before 1.6.7",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2012/05/07/13"
},
{
"name": "http://blog.mybb.com/2012/04/01/mybb-1-6-7-update-1-8-development/",
"refsource": "CONFIRM",
"url": "http://blog.mybb.com/2012/04/01/mybb-1-6-7-update-1-8-development/"
},
{
"name": "[oss-security] 20120507 Re: CVE request: mybb before 1.6.7",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2012/05/07/14"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2012-2325",
"datePublished": "2012-08-13T18:00:00Z",
"dateReserved": "2012-04-19T00:00:00Z",
"dateUpdated": "2024-09-16T23:55:43.800Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2013-7288 (GCVE-0-2013-7288)
Vulnerability from cvelistv5
Published
2014-01-10 16:00
Modified
2024-09-17 01:50
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Cross-site scripting (XSS) vulnerability in the mycode_parse_video function in inc/class_parser.php in MyBB (aka MyBulletinBoard) before 1.6.12 allows remote attackers to inject arbitrary web script or HTML via vectors related to Yahoo video URLs.
References
| ► | URL | Tags | |||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T18:01:20.288Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/mybb/mybb/commit/238696e37d6a22b89e6bba11e4de3e6620cb5547"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://blog.mybb.com/2013/12/16/mybb-1-6-12-released-security-maintenance-release"
},
{
"name": "55945",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/55945"
},
{
"name": "64570",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/64570"
},
{
"name": "101544",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/show/osvdb/101544"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the mycode_parse_video function in inc/class_parser.php in MyBB (aka MyBulletinBoard) before 1.6.12 allows remote attackers to inject arbitrary web script or HTML via vectors related to Yahoo video URLs."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-01-10T16:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mybb/mybb/commit/238696e37d6a22b89e6bba11e4de3e6620cb5547"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://blog.mybb.com/2013/12/16/mybb-1-6-12-released-security-maintenance-release"
},
{
"name": "55945",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/55945"
},
{
"name": "64570",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/64570"
},
{
"name": "101544",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/show/osvdb/101544"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2013-7288",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in the mycode_parse_video function in inc/class_parser.php in MyBB (aka MyBulletinBoard) before 1.6.12 allows remote attackers to inject arbitrary web script or HTML via vectors related to Yahoo video URLs."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/mybb/mybb/commit/238696e37d6a22b89e6bba11e4de3e6620cb5547",
"refsource": "CONFIRM",
"url": "https://github.com/mybb/mybb/commit/238696e37d6a22b89e6bba11e4de3e6620cb5547"
},
{
"name": "http://blog.mybb.com/2013/12/16/mybb-1-6-12-released-security-maintenance-release",
"refsource": "CONFIRM",
"url": "http://blog.mybb.com/2013/12/16/mybb-1-6-12-released-security-maintenance-release"
},
{
"name": "55945",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/55945"
},
{
"name": "64570",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/64570"
},
{
"name": "101544",
"refsource": "OSVDB",
"url": "http://osvdb.org/show/osvdb/101544"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2013-7288",
"datePublished": "2014-01-10T16:00:00Z",
"dateReserved": "2014-01-10T00:00:00Z",
"dateUpdated": "2024-09-17T01:50:54.525Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2011-3759 (GCVE-0-2011-3759)
Vulnerability from cvelistv5
Published
2011-09-23 23:00
Modified
2024-09-17 00:55
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
MyBB (aka MyBulletinBoard) 1.6 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by inc/3rdparty/diff/Diff/ThreeWay.php and certain other files.
References
| ► | URL | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T23:46:02.871Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[oss-security] 20110627 Re: CVE request: Joomla unspecified information disclosure vulnerability",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2011/06/27/6"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://code.google.com/p/inspathx/source/browse/trunk/paths_vuln/%21_README"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://code.google.com/p/inspathx/source/browse/trunk/paths_vuln/mybb-1.6"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "MyBB (aka MyBulletinBoard) 1.6 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by inc/3rdparty/diff/Diff/ThreeWay.php and certain other files."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2011-09-23T23:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "[oss-security] 20110627 Re: CVE request: Joomla unspecified information disclosure vulnerability",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2011/06/27/6"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://code.google.com/p/inspathx/source/browse/trunk/paths_vuln/%21_README"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://code.google.com/p/inspathx/source/browse/trunk/paths_vuln/mybb-1.6"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2011-3759",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "MyBB (aka MyBulletinBoard) 1.6 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by inc/3rdparty/diff/Diff/ThreeWay.php and certain other files."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[oss-security] 20110627 Re: CVE request: Joomla unspecified information disclosure vulnerability",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2011/06/27/6"
},
{
"name": "http://code.google.com/p/inspathx/source/browse/trunk/paths_vuln/%21_README",
"refsource": "MISC",
"url": "http://code.google.com/p/inspathx/source/browse/trunk/paths_vuln/%21_README"
},
{
"name": "http://code.google.com/p/inspathx/source/browse/trunk/paths_vuln/mybb-1.6",
"refsource": "MISC",
"url": "http://code.google.com/p/inspathx/source/browse/trunk/paths_vuln/mybb-1.6"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2011-3759",
"datePublished": "2011-09-23T23:00:00Z",
"dateReserved": "2011-09-23T00:00:00Z",
"dateUpdated": "2024-09-17T00:55:31.133Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2010-4625 (GCVE-0-2010-4625)
Vulnerability from cvelistv5
Published
2010-12-30 20:00
Modified
2024-08-07 03:51
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
MyBB (aka MyBulletinBoard) before 1.4.12 does not properly handle a configuration with a visible forum that contains hidden threads, which allows remote attackers to obtain sensitive information by reading the Latest Threads block of the Portal Page.
References
| ► | URL | Tags | |||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T03:51:17.744Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://blog.mybb.com/2010/04/13/mybb-1-4-12-released-security-maintenance-update/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://dev.mybboard.net/issues/809"
},
{
"name": "[oss-security] 20101008 CVE request: mybb before 1.4.11 and before 1.4.12",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://openwall.com/lists/oss-security/2010/10/08/7"
},
{
"name": "[oss-security] 20101011 Re: CVE request: mybb before 1.4.11 and before 1.4.12",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://openwall.com/lists/oss-security/2010/10/11/8"
},
{
"name": "[oss-security] 20101206 Re: CVE request: mybb before 1.4.11 and before 1.4.12",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://openwall.com/lists/oss-security/2010/12/06/2"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://community.mybb.com/thread-66255.html"
},
{
"name": "mybb-hidden-threads-info-disc(64517)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/64517"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2010-04-13T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "MyBB (aka MyBulletinBoard) before 1.4.12 does not properly handle a configuration with a visible forum that contains hidden threads, which allows remote attackers to obtain sensitive information by reading the Latest Threads block of the Portal Page."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-16T14:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://blog.mybb.com/2010/04/13/mybb-1-4-12-released-security-maintenance-update/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://dev.mybboard.net/issues/809"
},
{
"name": "[oss-security] 20101008 CVE request: mybb before 1.4.11 and before 1.4.12",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://openwall.com/lists/oss-security/2010/10/08/7"
},
{
"name": "[oss-security] 20101011 Re: CVE request: mybb before 1.4.11 and before 1.4.12",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://openwall.com/lists/oss-security/2010/10/11/8"
},
{
"name": "[oss-security] 20101206 Re: CVE request: mybb before 1.4.11 and before 1.4.12",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://openwall.com/lists/oss-security/2010/12/06/2"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://community.mybb.com/thread-66255.html"
},
{
"name": "mybb-hidden-threads-info-disc(64517)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/64517"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2010-4625",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "MyBB (aka MyBulletinBoard) before 1.4.12 does not properly handle a configuration with a visible forum that contains hidden threads, which allows remote attackers to obtain sensitive information by reading the Latest Threads block of the Portal Page."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://blog.mybb.com/2010/04/13/mybb-1-4-12-released-security-maintenance-update/",
"refsource": "CONFIRM",
"url": "http://blog.mybb.com/2010/04/13/mybb-1-4-12-released-security-maintenance-update/"
},
{
"name": "http://dev.mybboard.net/issues/809",
"refsource": "CONFIRM",
"url": "http://dev.mybboard.net/issues/809"
},
{
"name": "[oss-security] 20101008 CVE request: mybb before 1.4.11 and before 1.4.12",
"refsource": "MLIST",
"url": "http://openwall.com/lists/oss-security/2010/10/08/7"
},
{
"name": "[oss-security] 20101011 Re: CVE request: mybb before 1.4.11 and before 1.4.12",
"refsource": "MLIST",
"url": "http://openwall.com/lists/oss-security/2010/10/11/8"
},
{
"name": "[oss-security] 20101206 Re: CVE request: mybb before 1.4.11 and before 1.4.12",
"refsource": "MLIST",
"url": "http://openwall.com/lists/oss-security/2010/12/06/2"
},
{
"name": "http://community.mybb.com/thread-66255.html",
"refsource": "MISC",
"url": "http://community.mybb.com/thread-66255.html"
},
{
"name": "mybb-hidden-threads-info-disc(64517)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/64517"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2010-4625",
"datePublished": "2010-12-30T20:00:00",
"dateReserved": "2010-12-30T00:00:00",
"dateUpdated": "2024-08-07T03:51:17.744Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2012-5908 (GCVE-0-2012-5908)
Vulnerability from cvelistv5
Published
2012-11-17 21:00
Modified
2024-08-06 21:21
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Cross-site scripting (XSS) vulnerability in admin/modules/user/users.php in MyBB (aka MyBulletinBoard) 1.6.6 allows remote attackers to inject arbitrary web script or HTML via the conditions[usergroup][] parameter in a search action to admin/index.php.
References
| ► | URL | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T21:21:28.081Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "mybb-index-conditionsusergroup-xss(74397)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/74397"
},
{
"name": "80633",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/80633"
},
{
"name": "52743",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/52743"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.org/files/111238/MyBB-1.6.6-Cross-Site-Scripting-SQL-Injection.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2012-03-27T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in admin/modules/user/users.php in MyBB (aka MyBulletinBoard) 1.6.6 allows remote attackers to inject arbitrary web script or HTML via the conditions[usergroup][] parameter in a search action to admin/index.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-28T12:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "mybb-index-conditionsusergroup-xss(74397)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/74397"
},
{
"name": "80633",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/80633"
},
{
"name": "52743",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/52743"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.org/files/111238/MyBB-1.6.6-Cross-Site-Scripting-SQL-Injection.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2012-5908",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in admin/modules/user/users.php in MyBB (aka MyBulletinBoard) 1.6.6 allows remote attackers to inject arbitrary web script or HTML via the conditions[usergroup][] parameter in a search action to admin/index.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "mybb-index-conditionsusergroup-xss(74397)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/74397"
},
{
"name": "80633",
"refsource": "OSVDB",
"url": "http://osvdb.org/80633"
},
{
"name": "52743",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/52743"
},
{
"name": "http://packetstormsecurity.org/files/111238/MyBB-1.6.6-Cross-Site-Scripting-SQL-Injection.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.org/files/111238/MyBB-1.6.6-Cross-Site-Scripting-SQL-Injection.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2012-5908",
"datePublished": "2012-11-17T21:00:00",
"dateReserved": "2012-11-17T00:00:00",
"dateUpdated": "2024-08-06T21:21:28.081Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-19049 (GCVE-0-2020-19049)
Vulnerability from cvelistv5
Published
2021-08-31 13:16
Modified
2024-08-04 14:08
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Cross Site Scripting (XSS) in MyBB v1.8.20 allows remote attackers to inject arbitrary web script or HTML via the "Description" field found in the "Add New Forum" page by doing an authenticated POST HTTP request to '/Upload/admin/index.php?module=forum-management&action=add'.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T14:08:30.631Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/joelister/bug/issues/2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross Site Scripting (XSS) in MyBB v1.8.20 allows remote attackers to inject arbitrary web script or HTML via the \"Description\" field found in the \"Add New Forum\" page by doing an authenticated POST HTTP request to \u0027/Upload/admin/index.php?module=forum-management\u0026action=add\u0027."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-08-31T13:16:35",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/joelister/bug/issues/2"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-19049",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross Site Scripting (XSS) in MyBB v1.8.20 allows remote attackers to inject arbitrary web script or HTML via the \"Description\" field found in the \"Add New Forum\" page by doing an authenticated POST HTTP request to \u0027/Upload/admin/index.php?module=forum-management\u0026action=add\u0027."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/joelister/bug/issues/2",
"refsource": "MISC",
"url": "https://github.com/joelister/bug/issues/2"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-19049",
"datePublished": "2021-08-31T13:16:35",
"dateReserved": "2020-08-13T00:00:00",
"dateUpdated": "2024-08-04T14:08:30.631Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-27946 (GCVE-0-2021-27946)
Vulnerability from cvelistv5
Published
2021-03-15 17:08
Modified
2024-08-03 21:33
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
SQL Injection vulnerability in MyBB before 1.8.26 via poll vote count. (issue 1 of 3).
References
| ► | URL | Tags |
|---|---|---|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:33:17.343Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/mybb/mybb/security/advisories/GHSA-23m9-w75q-ph4p"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/161918/MyBB-1.8.25-SQL-Injection.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SQL Injection vulnerability in MyBB before 1.8.26 via poll vote count. (issue 1 of 3)."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-03-23T17:06:07",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mybb/mybb/security/advisories/GHSA-23m9-w75q-ph4p"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/161918/MyBB-1.8.25-SQL-Injection.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-27946",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SQL Injection vulnerability in MyBB before 1.8.26 via poll vote count. (issue 1 of 3)."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/mybb/mybb/security/advisories/GHSA-23m9-w75q-ph4p",
"refsource": "MISC",
"url": "https://github.com/mybb/mybb/security/advisories/GHSA-23m9-w75q-ph4p"
},
{
"name": "http://packetstormsecurity.com/files/161918/MyBB-1.8.25-SQL-Injection.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/161918/MyBB-1.8.25-SQL-Injection.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-27946",
"datePublished": "2021-03-15T17:08:09",
"dateReserved": "2021-03-04T00:00:00",
"dateUpdated": "2024-08-03T21:33:17.343Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-3827 (GCVE-0-2014-3827)
Vulnerability from cvelistv5
Published
2020-02-11 18:23
Modified
2024-08-06 10:57
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Multiple cross-site scripting (XSS) vulnerabilities in the MyBB (aka MyBulletinBoard) before 1.8.4 allow remote authenticated users to inject arbitrary web script or HTML via the title parameter in the (1) edit or (2) add action in the user-users module or the (3) finduser action or the name parameter in an (4) edit action in the user-user module or the (5) editprofile action to modcp.php.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T10:57:17.354Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://blog.mybb.com/2015/02/15/mybb-1-8-4-released-feature-update-security-maintenance-release/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://adamziaja.com/poc/201312-xss-mybb.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2013-12-15T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in the MyBB (aka MyBulletinBoard) before 1.8.4 allow remote authenticated users to inject arbitrary web script or HTML via the title parameter in the (1) edit or (2) add action in the user-users module or the (3) finduser action or the name parameter in an (4) edit action in the user-user module or the (5) editprofile action to modcp.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-02-11T18:42:26",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://blog.mybb.com/2015/02/15/mybb-1-8-4-released-feature-update-security-maintenance-release/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://adamziaja.com/poc/201312-xss-mybb.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-3827",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in the MyBB (aka MyBulletinBoard) before 1.8.4 allow remote authenticated users to inject arbitrary web script or HTML via the title parameter in the (1) edit or (2) add action in the user-users module or the (3) finduser action or the name parameter in an (4) edit action in the user-user module or the (5) editprofile action to modcp.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://blog.mybb.com/2015/02/15/mybb-1-8-4-released-feature-update-security-maintenance-release/",
"refsource": "CONFIRM",
"url": "http://blog.mybb.com/2015/02/15/mybb-1-8-4-released-feature-update-security-maintenance-release/"
},
{
"name": "https://adamziaja.com/poc/201312-xss-mybb.html",
"refsource": "MISC",
"url": "https://adamziaja.com/poc/201312-xss-mybb.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2014-3827",
"datePublished": "2020-02-11T18:23:37",
"dateReserved": "2014-05-22T00:00:00",
"dateUpdated": "2024-08-06T10:57:17.354Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-9410 (GCVE-0-2016-9410)
Vulnerability from cvelistv5
Published
2017-01-31 22:00
Modified
2024-08-06 02:50
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 might allow remote attackers to obtain sensitive database information via vectors involving templates.
References
| ► | URL | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T02:50:37.938Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "94395",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/94395"
},
{
"name": "[oss-security] 20161117 Re: CVE request: MyBB multiple vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/18/1"
},
{
"name": "[oss-security] 20161110 CVE request: MyBB multiple vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/10/8"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://blog.mybb.com/2016/03/11/mybb-1-8-7-merge-system-1-8-7-release/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-03-11T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 might allow remote attackers to obtain sensitive database information via vectors involving templates."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-02-01T10:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "94395",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/94395"
},
{
"name": "[oss-security] 20161117 Re: CVE request: MyBB multiple vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/18/1"
},
{
"name": "[oss-security] 20161110 CVE request: MyBB multiple vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/10/8"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://blog.mybb.com/2016/03/11/mybb-1-8-7-merge-system-1-8-7-release/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-9410",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 might allow remote attackers to obtain sensitive database information via vectors involving templates."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "94395",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/94395"
},
{
"name": "[oss-security] 20161117 Re: CVE request: MyBB multiple vulnerabilities",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2016/11/18/1"
},
{
"name": "[oss-security] 20161110 CVE request: MyBB multiple vulnerabilities",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2016/11/10/8"
},
{
"name": "https://blog.mybb.com/2016/03/11/mybb-1-8-7-merge-system-1-8-7-release/",
"refsource": "CONFIRM",
"url": "https://blog.mybb.com/2016/03/11/mybb-1-8-7-merge-system-1-8-7-release/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-9410",
"datePublished": "2017-01-31T22:00:00",
"dateReserved": "2016-11-17T00:00:00",
"dateUpdated": "2024-08-06T02:50:37.938Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-9416 (GCVE-0-2016-9416)
Vulnerability from cvelistv5
Published
2017-01-31 22:00
Modified
2024-08-06 02:50
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
SQL injection vulnerability in the users data handler in MyBB (aka MyBulletinBoard) before 1.8.8 and MyBB Merge System before 1.8.8 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
References
| ► | URL | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T02:50:37.707Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://blog.mybb.com/2016/10/17/mybb-1-8-8-merge-system-1-8-8-release/"
},
{
"name": "[oss-security] 20161117 Re: CVE request: MyBB multiple vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/18/1"
},
{
"name": "[oss-security] 20161110 CVE request: MyBB multiple vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/10/8"
},
{
"name": "94396",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/94396"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-10-17T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in the users data handler in MyBB (aka MyBulletinBoard) before 1.8.8 and MyBB Merge System before 1.8.8 allows remote attackers to execute arbitrary SQL commands via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-02-01T10:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://blog.mybb.com/2016/10/17/mybb-1-8-8-merge-system-1-8-8-release/"
},
{
"name": "[oss-security] 20161117 Re: CVE request: MyBB multiple vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/18/1"
},
{
"name": "[oss-security] 20161110 CVE request: MyBB multiple vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/10/8"
},
{
"name": "94396",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/94396"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-9416",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SQL injection vulnerability in the users data handler in MyBB (aka MyBulletinBoard) before 1.8.8 and MyBB Merge System before 1.8.8 allows remote attackers to execute arbitrary SQL commands via unspecified vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://blog.mybb.com/2016/10/17/mybb-1-8-8-merge-system-1-8-8-release/",
"refsource": "CONFIRM",
"url": "https://blog.mybb.com/2016/10/17/mybb-1-8-8-merge-system-1-8-8-release/"
},
{
"name": "[oss-security] 20161117 Re: CVE request: MyBB multiple vulnerabilities",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2016/11/18/1"
},
{
"name": "[oss-security] 20161110 CVE request: MyBB multiple vulnerabilities",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2016/11/10/8"
},
{
"name": "94396",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/94396"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-9416",
"datePublished": "2017-01-31T22:00:00",
"dateReserved": "2016-11-17T00:00:00",
"dateUpdated": "2024-08-06T02:50:37.707Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-19048 (GCVE-0-2020-19048)
Vulnerability from cvelistv5
Published
2021-08-31 13:16
Modified
2024-08-04 14:08
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Cross Site Scripting (XSS) in MyBB v1.8.20 allows remote attackers to inject arbitrary web script or HTML via the "Title" field found in the "Add New Forum" page by doing an authenticated POST HTTP request to '/Upload/admin/index.php?module=forum-management&action=add'.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T14:08:30.702Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/joelister/bug/issues/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross Site Scripting (XSS) in MyBB v1.8.20 allows remote attackers to inject arbitrary web script or HTML via the \"Title\" field found in the \"Add New Forum\" page by doing an authenticated POST HTTP request to \u0027/Upload/admin/index.php?module=forum-management\u0026action=add\u0027."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-08-31T13:16:34",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/joelister/bug/issues/1"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-19048",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross Site Scripting (XSS) in MyBB v1.8.20 allows remote attackers to inject arbitrary web script or HTML via the \"Title\" field found in the \"Add New Forum\" page by doing an authenticated POST HTTP request to \u0027/Upload/admin/index.php?module=forum-management\u0026action=add\u0027."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/joelister/bug/issues/1",
"refsource": "MISC",
"url": "https://github.com/joelister/bug/issues/1"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-19048",
"datePublished": "2021-08-31T13:16:34",
"dateReserved": "2020-08-13T00:00:00",
"dateUpdated": "2024-08-04T14:08:30.702Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2008-3967 (GCVE-0-2008-3967)
Vulnerability from cvelistv5
Published
2008-09-10 15:00
Modified
2024-08-07 10:00
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
moderation.php in MyBB (aka MyBulletinBoard) before 1.4.1 does not properly check for moderator privileges, which has unknown impact and remote attack vectors.
References
| ► | URL | Tags | ||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T10:00:42.598Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[oss-security] 20080909 CVE request: mybb \u003c 1.4.1",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2008/09/09/1"
},
{
"name": "31760",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/31760"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://community.mybboard.net/showthread.php?tid=36022"
},
{
"name": "31104",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/31104"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://community.mybboard.net/attachment.php?aid=10579"
},
{
"name": "[oss-security] 20080909 Re: CVE request: mybb \u003c 1.4.1",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2008/09/09/9"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2008-09-09T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "moderation.php in MyBB (aka MyBulletinBoard) before 1.4.1 does not properly check for moderator privileges, which has unknown impact and remote attack vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2008-10-24T09:00:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "[oss-security] 20080909 CVE request: mybb \u003c 1.4.1",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2008/09/09/1"
},
{
"name": "31760",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/31760"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://community.mybboard.net/showthread.php?tid=36022"
},
{
"name": "31104",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/31104"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://community.mybboard.net/attachment.php?aid=10579"
},
{
"name": "[oss-security] 20080909 Re: CVE request: mybb \u003c 1.4.1",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2008/09/09/9"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2008-3967",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "moderation.php in MyBB (aka MyBulletinBoard) before 1.4.1 does not properly check for moderator privileges, which has unknown impact and remote attack vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[oss-security] 20080909 CVE request: mybb \u003c 1.4.1",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2008/09/09/1"
},
{
"name": "31760",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/31760"
},
{
"name": "http://community.mybboard.net/showthread.php?tid=36022",
"refsource": "CONFIRM",
"url": "http://community.mybboard.net/showthread.php?tid=36022"
},
{
"name": "31104",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/31104"
},
{
"name": "http://community.mybboard.net/attachment.php?aid=10579",
"refsource": "CONFIRM",
"url": "http://community.mybboard.net/attachment.php?aid=10579"
},
{
"name": "[oss-security] 20080909 Re: CVE request: mybb \u003c 1.4.1",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2008/09/09/9"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2008-3967",
"datePublished": "2008-09-10T15:00:00",
"dateReserved": "2008-09-09T00:00:00",
"dateUpdated": "2024-08-07T10:00:42.598Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2010-4522 (GCVE-0-2010-4522)
Vulnerability from cvelistv5
Published
2010-12-30 20:00
Modified
2024-09-16 20:22
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Multiple cross-site scripting (XSS) vulnerabilities in MyBB (aka MyBulletinBoard) 1.4.14, and 1.6.x before 1.6.1, allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) editpost.php, (2) member.php, and (3) newreply.php.
References
| ► | URL | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T03:51:16.972Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://blog.mybb.com/2010/12/15/mybb-1-6-1-release-1-4-14-update/"
},
{
"name": "[oss-security] 20101220 CVE Request: MyBB XSS bugs",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://openwall.com/lists/oss-security/2010/12/20/1"
},
{
"name": "[oss-security] 20101221 Re: CVE Request: MyBB XSS bugs",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://openwall.com/lists/oss-security/2010/12/22/2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in MyBB (aka MyBulletinBoard) 1.4.14, and 1.6.x before 1.6.1, allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) editpost.php, (2) member.php, and (3) newreply.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2010-12-30T20:00:00Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://blog.mybb.com/2010/12/15/mybb-1-6-1-release-1-4-14-update/"
},
{
"name": "[oss-security] 20101220 CVE Request: MyBB XSS bugs",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://openwall.com/lists/oss-security/2010/12/20/1"
},
{
"name": "[oss-security] 20101221 Re: CVE Request: MyBB XSS bugs",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://openwall.com/lists/oss-security/2010/12/22/2"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2010-4522",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in MyBB (aka MyBulletinBoard) 1.4.14, and 1.6.x before 1.6.1, allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) editpost.php, (2) member.php, and (3) newreply.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://blog.mybb.com/2010/12/15/mybb-1-6-1-release-1-4-14-update/",
"refsource": "CONFIRM",
"url": "http://blog.mybb.com/2010/12/15/mybb-1-6-1-release-1-4-14-update/"
},
{
"name": "[oss-security] 20101220 CVE Request: MyBB XSS bugs",
"refsource": "MLIST",
"url": "http://openwall.com/lists/oss-security/2010/12/20/1"
},
{
"name": "[oss-security] 20101221 Re: CVE Request: MyBB XSS bugs",
"refsource": "MLIST",
"url": "http://openwall.com/lists/oss-security/2010/12/22/2"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2010-4522",
"datePublished": "2010-12-30T20:00:00Z",
"dateReserved": "2010-12-09T00:00:00Z",
"dateUpdated": "2024-09-16T20:22:36.682Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-41362 (GCVE-0-2023-41362)
Vulnerability from cvelistv5
Published
2023-08-29 00:00
Modified
2024-10-01 20:41
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
MyBB before 1.8.36 allows Code Injection by users with certain high privileges. Templates in Admin CP intentionally use eval, and there was some validation of the input to eval, but type juggling interfered with this when using PCRE within PHP.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:01:35.079Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mybb.com/versions/1.8.36/"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/mybb/mybb/security/advisories/GHSA-pr74-wvp3-q6f5"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/mybb/mybb/commit/a43a6f22944e769a6eabc58c39e7bc18c1cab4ca.patch"
},
{
"tags": [
"x_transferred"
],
"url": "https://blog.sorcery.ie/posts/mybb_acp_rce/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-41362",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-01T20:41:18.158347Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-01T20:41:29.859Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "MyBB before 1.8.36 allows Code Injection by users with certain high privileges. Templates in Admin CP intentionally use eval, and there was some validation of the input to eval, but type juggling interfered with this when using PCRE within PHP."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-09-11T14:36:20.658652",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://mybb.com/versions/1.8.36/"
},
{
"url": "https://github.com/mybb/mybb/security/advisories/GHSA-pr74-wvp3-q6f5"
},
{
"url": "https://github.com/mybb/mybb/commit/a43a6f22944e769a6eabc58c39e7bc18c1cab4ca.patch"
},
{
"url": "https://blog.sorcery.ie/posts/mybb_acp_rce/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-41362",
"datePublished": "2023-08-29T00:00:00",
"dateReserved": "2023-08-29T00:00:00",
"dateUpdated": "2024-10-01T20:41:29.859Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2008-3071 (GCVE-0-2008-3071)
Vulnerability from cvelistv5
Published
2008-07-08 18:00
Modified
2024-08-07 09:21
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Directory traversal vulnerability in inc/class_language.php in MyBB before 1.2.13 has unknown impact and attack vectors related to the $language variable.
References
| ► | URL | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T09:21:35.154Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://community.mybboard.net/attachment.php?aid=9272"
},
{
"name": "31013",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/31013"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://community.mybboard.net/showthread.php?tid=31666"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2008-05-21T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Directory traversal vulnerability in inc/class_language.php in MyBB before 1.2.13 has unknown impact and attack vectors related to the $language variable."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2012-11-27T10:00:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://community.mybboard.net/attachment.php?aid=9272"
},
{
"name": "31013",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/31013"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://community.mybboard.net/showthread.php?tid=31666"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2008-3071",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Directory traversal vulnerability in inc/class_language.php in MyBB before 1.2.13 has unknown impact and attack vectors related to the $language variable."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://community.mybboard.net/attachment.php?aid=9272",
"refsource": "CONFIRM",
"url": "http://community.mybboard.net/attachment.php?aid=9272"
},
{
"name": "31013",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/31013"
},
{
"name": "http://community.mybboard.net/showthread.php?tid=31666",
"refsource": "CONFIRM",
"url": "http://community.mybboard.net/showthread.php?tid=31666"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2008-3071",
"datePublished": "2008-07-08T18:00:00",
"dateReserved": "2008-07-08T00:00:00",
"dateUpdated": "2024-08-07T09:21:35.154Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-9417 (GCVE-0-2016-9417)
Vulnerability from cvelistv5
Published
2017-01-31 22:00
Modified
2024-08-06 02:50
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
The fetch_remote_file function in MyBB (aka MyBulletinBoard) before 1.8.8 and MyBB Merge System before 1.8.8 allows remote attackers to conduct server-side request forgery (SSRF) attacks via unspecified vectors.
References
| ► | URL | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T02:50:38.392Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://blog.mybb.com/2016/10/17/mybb-1-8-8-merge-system-1-8-8-release/"
},
{
"name": "[oss-security] 20161117 Re: CVE request: MyBB multiple vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/18/1"
},
{
"name": "[oss-security] 20161110 CVE request: MyBB multiple vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/10/8"
},
{
"name": "94396",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/94396"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-10-17T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The fetch_remote_file function in MyBB (aka MyBulletinBoard) before 1.8.8 and MyBB Merge System before 1.8.8 allows remote attackers to conduct server-side request forgery (SSRF) attacks via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-02-01T10:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://blog.mybb.com/2016/10/17/mybb-1-8-8-merge-system-1-8-8-release/"
},
{
"name": "[oss-security] 20161117 Re: CVE request: MyBB multiple vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/18/1"
},
{
"name": "[oss-security] 20161110 CVE request: MyBB multiple vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/10/8"
},
{
"name": "94396",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/94396"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-9417",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The fetch_remote_file function in MyBB (aka MyBulletinBoard) before 1.8.8 and MyBB Merge System before 1.8.8 allows remote attackers to conduct server-side request forgery (SSRF) attacks via unspecified vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://blog.mybb.com/2016/10/17/mybb-1-8-8-merge-system-1-8-8-release/",
"refsource": "CONFIRM",
"url": "https://blog.mybb.com/2016/10/17/mybb-1-8-8-merge-system-1-8-8-release/"
},
{
"name": "[oss-security] 20161117 Re: CVE request: MyBB multiple vulnerabilities",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2016/11/18/1"
},
{
"name": "[oss-security] 20161110 CVE request: MyBB multiple vulnerabilities",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2016/11/10/8"
},
{
"name": "94396",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/94396"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-9417",
"datePublished": "2017-01-31T22:00:00",
"dateReserved": "2016-11-17T00:00:00",
"dateUpdated": "2024-08-06T02:50:38.392Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2010-4624 (GCVE-0-2010-4624)
Vulnerability from cvelistv5
Published
2010-12-30 20:00
Modified
2024-08-07 03:51
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
MyBB (aka MyBulletinBoard) before 1.4.12 allows remote authenticated users to bypass intended restrictions on the number of [img] MyCodes by editing a post after it has been created.
References
| ► | URL | Tags | ||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T03:51:17.658Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://blog.mybb.com/2010/04/13/mybb-1-4-12-released-security-maintenance-update/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://dev.mybboard.net/issues/728"
},
{
"name": "[oss-security] 20101008 CVE request: mybb before 1.4.11 and before 1.4.12",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://openwall.com/lists/oss-security/2010/10/08/7"
},
{
"name": "[oss-security] 20101011 Re: CVE request: mybb before 1.4.11 and before 1.4.12",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://openwall.com/lists/oss-security/2010/10/11/8"
},
{
"name": "[oss-security] 20101206 Re: CVE request: mybb before 1.4.11 and before 1.4.12",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://openwall.com/lists/oss-security/2010/12/06/2"
},
{
"name": "mybb-mycodes-security-bypass(64518)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/64518"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2010-04-13T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "MyBB (aka MyBulletinBoard) before 1.4.12 allows remote authenticated users to bypass intended restrictions on the number of [img] MyCodes by editing a post after it has been created."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-16T14:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://blog.mybb.com/2010/04/13/mybb-1-4-12-released-security-maintenance-update/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://dev.mybboard.net/issues/728"
},
{
"name": "[oss-security] 20101008 CVE request: mybb before 1.4.11 and before 1.4.12",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://openwall.com/lists/oss-security/2010/10/08/7"
},
{
"name": "[oss-security] 20101011 Re: CVE request: mybb before 1.4.11 and before 1.4.12",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://openwall.com/lists/oss-security/2010/10/11/8"
},
{
"name": "[oss-security] 20101206 Re: CVE request: mybb before 1.4.11 and before 1.4.12",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://openwall.com/lists/oss-security/2010/12/06/2"
},
{
"name": "mybb-mycodes-security-bypass(64518)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/64518"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2010-4624",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "MyBB (aka MyBulletinBoard) before 1.4.12 allows remote authenticated users to bypass intended restrictions on the number of [img] MyCodes by editing a post after it has been created."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://blog.mybb.com/2010/04/13/mybb-1-4-12-released-security-maintenance-update/",
"refsource": "CONFIRM",
"url": "http://blog.mybb.com/2010/04/13/mybb-1-4-12-released-security-maintenance-update/"
},
{
"name": "http://dev.mybboard.net/issues/728",
"refsource": "CONFIRM",
"url": "http://dev.mybboard.net/issues/728"
},
{
"name": "[oss-security] 20101008 CVE request: mybb before 1.4.11 and before 1.4.12",
"refsource": "MLIST",
"url": "http://openwall.com/lists/oss-security/2010/10/08/7"
},
{
"name": "[oss-security] 20101011 Re: CVE request: mybb before 1.4.11 and before 1.4.12",
"refsource": "MLIST",
"url": "http://openwall.com/lists/oss-security/2010/10/11/8"
},
{
"name": "[oss-security] 20101206 Re: CVE request: mybb before 1.4.11 and before 1.4.12",
"refsource": "MLIST",
"url": "http://openwall.com/lists/oss-security/2010/12/06/2"
},
{
"name": "mybb-mycodes-security-bypass(64518)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/64518"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2010-4624",
"datePublished": "2010-12-30T20:00:00",
"dateReserved": "2010-12-30T00:00:00",
"dateUpdated": "2024-08-07T03:51:17.658Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-8975 (GCVE-0-2015-8975)
Vulnerability from cvelistv5
Published
2017-01-31 22:00
Modified
2024-08-06 08:36
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Cross-site scripting (XSS) vulnerability in the error handler in MyBB (aka MyBulletinBoard) before 1.6.18 and 1.8.x before 1.8.6 and MyBB Merge System before 1.8.6 might allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
References
| ► | URL | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T08:36:30.559Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://blog.mybb.com/2015/09/07/mybb-1-8-6-1-6-18-merge-system-1-8-6-release/"
},
{
"name": "94397",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/94397"
},
{
"name": "[oss-security] 20161117 Re: CVE request: MyBB multiple vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/18/1"
},
{
"name": "[oss-security] 20161110 CVE request: MyBB multiple vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/10/8"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-09-07T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the error handler in MyBB (aka MyBulletinBoard) before 1.6.18 and 1.8.x before 1.8.6 and MyBB Merge System before 1.8.6 might allow remote attackers to inject arbitrary web script or HTML via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-02-01T10:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://blog.mybb.com/2015/09/07/mybb-1-8-6-1-6-18-merge-system-1-8-6-release/"
},
{
"name": "94397",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/94397"
},
{
"name": "[oss-security] 20161117 Re: CVE request: MyBB multiple vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/18/1"
},
{
"name": "[oss-security] 20161110 CVE request: MyBB multiple vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/10/8"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-8975",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in the error handler in MyBB (aka MyBulletinBoard) before 1.6.18 and 1.8.x before 1.8.6 and MyBB Merge System before 1.8.6 might allow remote attackers to inject arbitrary web script or HTML via unspecified vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://blog.mybb.com/2015/09/07/mybb-1-8-6-1-6-18-merge-system-1-8-6-release/",
"refsource": "CONFIRM",
"url": "https://blog.mybb.com/2015/09/07/mybb-1-8-6-1-6-18-merge-system-1-8-6-release/"
},
{
"name": "94397",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/94397"
},
{
"name": "[oss-security] 20161117 Re: CVE request: MyBB multiple vulnerabilities",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2016/11/18/1"
},
{
"name": "[oss-security] 20161110 CVE request: MyBB multiple vulnerabilities",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2016/11/10/8"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-8975",
"datePublished": "2017-01-31T22:00:00",
"dateReserved": "2016-11-17T00:00:00",
"dateUpdated": "2024-08-06T08:36:30.559Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2011-5131 (GCVE-0-2011-5131)
Vulnerability from cvelistv5
Published
2012-08-30 22:00
Modified
2024-08-07 00:23
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Cross-site request forgery (CSRF) vulnerability in global.php in MyBB before 1.6.5 allows remote attackers to hijack the authentication of a user for requests that change the user's language via the language parameter.
References
| ► | URL | Tags | ||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T00:23:40.140Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://dev.mybb.com/issues/1729"
},
{
"name": "77327",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://www.osvdb.org/77327"
},
{
"name": "46951",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/46951"
},
{
"name": "mybb-language-setting-csrf(71462)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/71462"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://blog.mybb.com/2011/11/25/mybb-1-6-5-released-feature-update-security-maintenance-release/"
},
{
"name": "50816",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/50816"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2011-10-08T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site request forgery (CSRF) vulnerability in global.php in MyBB before 1.6.5 allows remote attackers to hijack the authentication of a user for requests that change the user\u0027s language via the language parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-28T12:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://dev.mybb.com/issues/1729"
},
{
"name": "77327",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://www.osvdb.org/77327"
},
{
"name": "46951",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/46951"
},
{
"name": "mybb-language-setting-csrf(71462)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/71462"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://blog.mybb.com/2011/11/25/mybb-1-6-5-released-feature-update-security-maintenance-release/"
},
{
"name": "50816",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/50816"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2011-5131",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site request forgery (CSRF) vulnerability in global.php in MyBB before 1.6.5 allows remote attackers to hijack the authentication of a user for requests that change the user\u0027s language via the language parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://dev.mybb.com/issues/1729",
"refsource": "CONFIRM",
"url": "http://dev.mybb.com/issues/1729"
},
{
"name": "77327",
"refsource": "OSVDB",
"url": "http://www.osvdb.org/77327"
},
{
"name": "46951",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/46951"
},
{
"name": "mybb-language-setting-csrf(71462)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/71462"
},
{
"name": "http://blog.mybb.com/2011/11/25/mybb-1-6-5-released-feature-update-security-maintenance-release/",
"refsource": "CONFIRM",
"url": "http://blog.mybb.com/2011/11/25/mybb-1-6-5-released-feature-update-security-maintenance-release/"
},
{
"name": "50816",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/50816"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2011-5131",
"datePublished": "2012-08-30T22:00:00",
"dateReserved": "2012-08-30T00:00:00",
"dateUpdated": "2024-08-07T00:23:40.140Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-9412 (GCVE-0-2016-9412)
Vulnerability from cvelistv5
Published
2017-01-31 22:00
Modified
2024-08-06 02:50
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 allow attackers to have unspecified impact via vectors related to low adminsid and sid entropy.
References
| ► | URL | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T02:50:37.943Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "94395",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/94395"
},
{
"name": "[oss-security] 20161117 Re: CVE request: MyBB multiple vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/18/1"
},
{
"name": "[oss-security] 20161110 CVE request: MyBB multiple vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/10/8"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://blog.mybb.com/2016/03/11/mybb-1-8-7-merge-system-1-8-7-release/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-03-11T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 allow attackers to have unspecified impact via vectors related to low adminsid and sid entropy."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-02-01T10:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "94395",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/94395"
},
{
"name": "[oss-security] 20161117 Re: CVE request: MyBB multiple vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/18/1"
},
{
"name": "[oss-security] 20161110 CVE request: MyBB multiple vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/10/8"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://blog.mybb.com/2016/03/11/mybb-1-8-7-merge-system-1-8-7-release/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-9412",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 allow attackers to have unspecified impact via vectors related to low adminsid and sid entropy."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "94395",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/94395"
},
{
"name": "[oss-security] 20161117 Re: CVE request: MyBB multiple vulnerabilities",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2016/11/18/1"
},
{
"name": "[oss-security] 20161110 CVE request: MyBB multiple vulnerabilities",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2016/11/10/8"
},
{
"name": "https://blog.mybb.com/2016/03/11/mybb-1-8-7-merge-system-1-8-7-release/",
"refsource": "CONFIRM",
"url": "https://blog.mybb.com/2016/03/11/mybb-1-8-7-merge-system-1-8-7-release/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-9412",
"datePublished": "2017-01-31T22:00:00",
"dateReserved": "2016-11-17T00:00:00",
"dateUpdated": "2024-08-06T02:50:37.943Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-15596 (GCVE-0-2018-15596)
Vulnerability from cvelistv5
Published
2018-08-28 19:00
Modified
2024-08-05 10:01
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
An issue was discovered in inc/class_feedgeneration.php in MyBB 1.8.17. On the forum RSS Syndication page, one can generate a URL such as http://localhost/syndication.php?fid=&type=atom1.0&limit=15. The thread titles (within title elements of the generated XML documents) aren't sanitized, leading to XSS.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T10:01:53.370Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "45393",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/45393/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://blog.mybb.com/2018/08/22/mybb-1-8-18-released-security-maintenance-release/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2018-08-22T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in inc/class_feedgeneration.php in MyBB 1.8.17. On the forum RSS Syndication page, one can generate a URL such as http://localhost/syndication.php?fid=\u0026type=atom1.0\u0026limit=15. The thread titles (within title elements of the generated XML documents) aren\u0027t sanitized, leading to XSS."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-09-14T09:57:02",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "45393",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "https://www.exploit-db.com/exploits/45393/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://blog.mybb.com/2018/08/22/mybb-1-8-18-released-security-maintenance-release/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-15596",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in inc/class_feedgeneration.php in MyBB 1.8.17. On the forum RSS Syndication page, one can generate a URL such as http://localhost/syndication.php?fid=\u0026type=atom1.0\u0026limit=15. The thread titles (within title elements of the generated XML documents) aren\u0027t sanitized, leading to XSS."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "45393",
"refsource": "EXPLOIT-DB",
"url": "https://www.exploit-db.com/exploits/45393/"
},
{
"name": "https://blog.mybb.com/2018/08/22/mybb-1-8-18-released-security-maintenance-release/",
"refsource": "CONFIRM",
"url": "https://blog.mybb.com/2018/08/22/mybb-1-8-18-released-security-maintenance-release/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-15596",
"datePublished": "2018-08-28T19:00:00",
"dateReserved": "2018-08-20T00:00:00",
"dateUpdated": "2024-08-05T10:01:53.370Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2008-0788 (GCVE-0-2008-0788)
Vulnerability from cvelistv5
Published
2008-02-15 00:00
Modified
2024-08-07 08:01
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Multiple cross-site request forgery (CSRF) vulnerabilities in MyBB 1.2.11 and earlier allow remote attackers to (1) hijack the authentication of moderators or administrators for requests that delete threads via a do_multideletethreads action to moderation.php and (2) hijack the authentication of arbitrary users for requests that delete private messages (PM) via a delete action to private.php.
References
| ► | URL | Tags | |||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T08:01:38.909Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://community.mybboard.net/showthread.php?tid=27675"
},
{
"name": "28572",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/28572/"
},
{
"name": "20080118 MyBB 1.2.11 Multiple XSRF Vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/486663"
},
{
"name": "ADV-2008-0238",
"tags": [
"vdb-entry",
"x_refsource_VUPEN",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2008/0238"
},
{
"name": "3656",
"tags": [
"third-party-advisory",
"x_refsource_SREASON",
"x_transferred"
],
"url": "http://securityreason.com/securityalert/3656"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2008-01-17T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site request forgery (CSRF) vulnerabilities in MyBB 1.2.11 and earlier allow remote attackers to (1) hijack the authentication of moderators or administrators for requests that delete threads via a do_multideletethreads action to moderation.php and (2) hijack the authentication of arbitrary users for requests that delete private messages (PM) via a delete action to private.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2008-04-15T09:00:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://community.mybboard.net/showthread.php?tid=27675"
},
{
"name": "28572",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/28572/"
},
{
"name": "20080118 MyBB 1.2.11 Multiple XSRF Vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/486663"
},
{
"name": "ADV-2008-0238",
"tags": [
"vdb-entry",
"x_refsource_VUPEN"
],
"url": "http://www.vupen.com/english/advisories/2008/0238"
},
{
"name": "3656",
"tags": [
"third-party-advisory",
"x_refsource_SREASON"
],
"url": "http://securityreason.com/securityalert/3656"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2008-0788",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple cross-site request forgery (CSRF) vulnerabilities in MyBB 1.2.11 and earlier allow remote attackers to (1) hijack the authentication of moderators or administrators for requests that delete threads via a do_multideletethreads action to moderation.php and (2) hijack the authentication of arbitrary users for requests that delete private messages (PM) via a delete action to private.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://community.mybboard.net/showthread.php?tid=27675",
"refsource": "MISC",
"url": "http://community.mybboard.net/showthread.php?tid=27675"
},
{
"name": "28572",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/28572/"
},
{
"name": "20080118 MyBB 1.2.11 Multiple XSRF Vulnerabilities",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/486663"
},
{
"name": "ADV-2008-0238",
"refsource": "VUPEN",
"url": "http://www.vupen.com/english/advisories/2008/0238"
},
{
"name": "3656",
"refsource": "SREASON",
"url": "http://securityreason.com/securityalert/3656"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2008-0788",
"datePublished": "2008-02-15T00:00:00",
"dateReserved": "2008-02-14T00:00:00",
"dateUpdated": "2024-08-07T08:01:38.909Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-22612 (GCVE-0-2020-22612)
Vulnerability from cvelistv5
Published
2023-09-01 00:00
Modified
2024-10-01 16:51
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Installer RCE on settings file write in MyBB before 1.8.22.
References
| ► | URL | Tags |
|---|---|---|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T14:51:10.826Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mybb.com/versions/1.8.22/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2020-22612",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-01T16:51:14.227414Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-01T16:51:57.449Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Installer RCE on settings file write in MyBB before 1.8.22."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-09-01T15:04:10.910557",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://mybb.com/versions/1.8.22/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-22612",
"datePublished": "2023-09-01T00:00:00",
"dateReserved": "2020-08-13T00:00:00",
"dateUpdated": "2024-10-01T16:51:57.449Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2010-4628 (GCVE-0-2010-4628)
Vulnerability from cvelistv5
Published
2010-12-30 20:00
Modified
2024-08-07 03:51
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
member.php in MyBB (aka MyBulletinBoard) before 1.4.12 makes a certain superfluous call to the SQL COUNT function, which allows remote attackers to cause a denial of service (resource consumption) by making requests to member.php that trigger scans of the entire users table.
References
| ► | URL | Tags | ||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T03:51:17.919Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://blog.mybb.com/2010/04/13/mybb-1-4-12-released-security-maintenance-update/"
},
{
"name": "[oss-security] 20101008 CVE request: mybb before 1.4.11 and before 1.4.12",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://openwall.com/lists/oss-security/2010/10/08/7"
},
{
"name": "[oss-security] 20101011 Re: CVE request: mybb before 1.4.11 and before 1.4.12",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://openwall.com/lists/oss-security/2010/10/11/8"
},
{
"name": "mybb-sqlcount-dos(64514)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/64514"
},
{
"name": "[oss-security] 20101206 Re: CVE request: mybb before 1.4.11 and before 1.4.12",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://openwall.com/lists/oss-security/2010/12/06/2"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://dev.mybboard.net/issues/662"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2010-04-13T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "member.php in MyBB (aka MyBulletinBoard) before 1.4.12 makes a certain superfluous call to the SQL COUNT function, which allows remote attackers to cause a denial of service (resource consumption) by making requests to member.php that trigger scans of the entire users table."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-16T14:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://blog.mybb.com/2010/04/13/mybb-1-4-12-released-security-maintenance-update/"
},
{
"name": "[oss-security] 20101008 CVE request: mybb before 1.4.11 and before 1.4.12",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://openwall.com/lists/oss-security/2010/10/08/7"
},
{
"name": "[oss-security] 20101011 Re: CVE request: mybb before 1.4.11 and before 1.4.12",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://openwall.com/lists/oss-security/2010/10/11/8"
},
{
"name": "mybb-sqlcount-dos(64514)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/64514"
},
{
"name": "[oss-security] 20101206 Re: CVE request: mybb before 1.4.11 and before 1.4.12",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://openwall.com/lists/oss-security/2010/12/06/2"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://dev.mybboard.net/issues/662"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2010-4628",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "member.php in MyBB (aka MyBulletinBoard) before 1.4.12 makes a certain superfluous call to the SQL COUNT function, which allows remote attackers to cause a denial of service (resource consumption) by making requests to member.php that trigger scans of the entire users table."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://blog.mybb.com/2010/04/13/mybb-1-4-12-released-security-maintenance-update/",
"refsource": "CONFIRM",
"url": "http://blog.mybb.com/2010/04/13/mybb-1-4-12-released-security-maintenance-update/"
},
{
"name": "[oss-security] 20101008 CVE request: mybb before 1.4.11 and before 1.4.12",
"refsource": "MLIST",
"url": "http://openwall.com/lists/oss-security/2010/10/08/7"
},
{
"name": "[oss-security] 20101011 Re: CVE request: mybb before 1.4.11 and before 1.4.12",
"refsource": "MLIST",
"url": "http://openwall.com/lists/oss-security/2010/10/11/8"
},
{
"name": "mybb-sqlcount-dos(64514)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/64514"
},
{
"name": "[oss-security] 20101206 Re: CVE request: mybb before 1.4.11 and before 1.4.12",
"refsource": "MLIST",
"url": "http://openwall.com/lists/oss-security/2010/12/06/2"
},
{
"name": "http://dev.mybboard.net/issues/662",
"refsource": "CONFIRM",
"url": "http://dev.mybboard.net/issues/662"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2010-4628",
"datePublished": "2010-12-30T20:00:00",
"dateReserved": "2010-12-30T00:00:00",
"dateUpdated": "2024-08-07T03:51:17.919Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-27948 (GCVE-0-2021-27948)
Vulnerability from cvelistv5
Published
2021-03-15 17:13
Modified
2024-08-03 21:33
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
SQL Injection vulnerability in MyBB before 1.8.26 via User Groups. (issue 3 of 3).
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:33:17.242Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/mybb/mybb/security/advisories/GHSA-3p9w-2q65-r6g2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SQL Injection vulnerability in MyBB before 1.8.26 via User Groups. (issue 3 of 3)."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-03-15T17:13:33",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mybb/mybb/security/advisories/GHSA-3p9w-2q65-r6g2"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-27948",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SQL Injection vulnerability in MyBB before 1.8.26 via User Groups. (issue 3 of 3)."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/mybb/mybb/security/advisories/GHSA-3p9w-2q65-r6g2",
"refsource": "MISC",
"url": "https://github.com/mybb/mybb/security/advisories/GHSA-3p9w-2q65-r6g2"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-27948",
"datePublished": "2021-03-15T17:13:33",
"dateReserved": "2021-03-04T00:00:00",
"dateUpdated": "2024-08-03T21:33:17.242Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-24734 (GCVE-0-2022-24734)
Vulnerability from cvelistv5
Published
2022-03-09 21:25
Modified
2025-04-22 18:19
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Summary
MyBB is a free and open source forum software. In affected versions the Admin CP's Settings management module does not validate setting types correctly on insertion and update, making it possible to add settings of supported type `php` with PHP code, executed on on _Change Settings_ pages. This results in a Remote Code Execution (RCE) vulnerability. The vulnerable module requires Admin CP access with the `Can manage settings?` permission. MyBB's Settings module, which allows administrators to add, edit, and delete non-default settings, stores setting data in an options code string ($options_code; mybb_settings.optionscode database column) that identifies the setting type and its options, separated by a new line character (\n). In MyBB 1.2.0, support for setting type php was added, for which the remaining part of the options code is PHP code executed on Change Settings pages (reserved for plugins and internal use). MyBB 1.8.30 resolves this issue. There are no known workarounds.
References
| ► | URL | Tags | ||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:20:49.808Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/mybb/mybb/security/advisories/GHSA-876v-gwgh-w57f"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/mybb/mybb/commit/92012b9831b330714b9f9b4646a98784113489c1"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://mybb.com/versions/1.8.30/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-22-503/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/167082/MyBB-1.8.29-Remote-Code-Execution.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/167333/MyBB-Admin-Control-Remote-Code-Execution.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-24734",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-22T15:44:10.816237Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-22T18:19:20.055Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mybb",
"vendor": "mybb",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.2.0, \u003c 1.8.30"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "MyBB is a free and open source forum software. In affected versions the Admin CP\u0027s Settings management module does not validate setting types correctly on insertion and update, making it possible to add settings of supported type `php` with PHP code, executed on on _Change Settings_ pages. This results in a Remote Code Execution (RCE) vulnerability. The vulnerable module requires Admin CP access with the `Can manage settings?` permission. MyBB\u0027s Settings module, which allows administrators to add, edit, and delete non-default settings, stores setting data in an options code string ($options_code; mybb_settings.optionscode database column) that identifies the setting type and its options, separated by a new line character (\\n). In MyBB 1.2.0, support for setting type php was added, for which the remaining part of the options code is PHP code executed on Change Settings pages (reserved for plugins and internal use). MyBB 1.8.30 resolves this issue. There are no known workarounds."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-31T18:06:18.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mybb/mybb/security/advisories/GHSA-876v-gwgh-w57f"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mybb/mybb/commit/92012b9831b330714b9f9b4646a98784113489c1"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://mybb.com/versions/1.8.30/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-22-503/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/167082/MyBB-1.8.29-Remote-Code-Execution.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/167333/MyBB-Admin-Control-Remote-Code-Execution.html"
}
],
"source": {
"advisory": "GHSA-876v-gwgh-w57f",
"discovery": "UNKNOWN"
},
"title": "Remote code execution in mybb",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-24734",
"STATE": "PUBLIC",
"TITLE": "Remote code execution in mybb"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "mybb",
"version": {
"version_data": [
{
"version_value": "\u003e= 1.2.0, \u003c 1.8.30"
}
]
}
}
]
},
"vendor_name": "mybb"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "MyBB is a free and open source forum software. In affected versions the Admin CP\u0027s Settings management module does not validate setting types correctly on insertion and update, making it possible to add settings of supported type `php` with PHP code, executed on on _Change Settings_ pages. This results in a Remote Code Execution (RCE) vulnerability. The vulnerable module requires Admin CP access with the `Can manage settings?` permission. MyBB\u0027s Settings module, which allows administrators to add, edit, and delete non-default settings, stores setting data in an options code string ($options_code; mybb_settings.optionscode database column) that identifies the setting type and its options, separated by a new line character (\\n). In MyBB 1.2.0, support for setting type php was added, for which the remaining part of the options code is PHP code executed on Change Settings pages (reserved for plugins and internal use). MyBB 1.8.30 resolves this issue. There are no known workarounds."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/mybb/mybb/security/advisories/GHSA-876v-gwgh-w57f",
"refsource": "CONFIRM",
"url": "https://github.com/mybb/mybb/security/advisories/GHSA-876v-gwgh-w57f"
},
{
"name": "https://github.com/mybb/mybb/commit/92012b9831b330714b9f9b4646a98784113489c1",
"refsource": "MISC",
"url": "https://github.com/mybb/mybb/commit/92012b9831b330714b9f9b4646a98784113489c1"
},
{
"name": "https://mybb.com/versions/1.8.30/",
"refsource": "MISC",
"url": "https://mybb.com/versions/1.8.30/"
},
{
"name": "https://www.zerodayinitiative.com/advisories/ZDI-22-503/",
"refsource": "MISC",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-22-503/"
},
{
"name": "http://packetstormsecurity.com/files/167082/MyBB-1.8.29-Remote-Code-Execution.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/167082/MyBB-1.8.29-Remote-Code-Execution.html"
},
{
"name": "http://packetstormsecurity.com/files/167333/MyBB-Admin-Control-Remote-Code-Execution.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/167333/MyBB-Admin-Control-Remote-Code-Execution.html"
}
]
},
"source": {
"advisory": "GHSA-876v-gwgh-w57f",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-24734",
"datePublished": "2022-03-09T21:25:08.000Z",
"dateReserved": "2022-02-10T00:00:00.000Z",
"dateUpdated": "2025-04-22T18:19:20.055Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2011-5133 (GCVE-0-2011-5133)
Vulnerability from cvelistv5
Published
2012-08-30 22:00
Modified
2024-09-17 00:51
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Unspecified vulnerability in MyBB before 1.6.5 has unknown impact and attack vectors, related to an "unparsed user avatar in the buddy list."
References
| ► | URL | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T00:23:40.148Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "46951",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/46951"
},
{
"name": "77325",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://www.osvdb.org/77325"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://blog.mybb.com/2011/11/25/mybb-1-6-5-released-feature-update-security-maintenance-release/"
},
{
"name": "50816",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/50816"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Unspecified vulnerability in MyBB before 1.6.5 has unknown impact and attack vectors, related to an \"unparsed user avatar in the buddy list.\""
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2012-08-30T22:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "46951",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/46951"
},
{
"name": "77325",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://www.osvdb.org/77325"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://blog.mybb.com/2011/11/25/mybb-1-6-5-released-feature-update-security-maintenance-release/"
},
{
"name": "50816",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/50816"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2011-5133",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Unspecified vulnerability in MyBB before 1.6.5 has unknown impact and attack vectors, related to an \"unparsed user avatar in the buddy list.\""
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "46951",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/46951"
},
{
"name": "77325",
"refsource": "OSVDB",
"url": "http://www.osvdb.org/77325"
},
{
"name": "http://blog.mybb.com/2011/11/25/mybb-1-6-5-released-feature-update-security-maintenance-release/",
"refsource": "CONFIRM",
"url": "http://blog.mybb.com/2011/11/25/mybb-1-6-5-released-feature-update-security-maintenance-release/"
},
{
"name": "50816",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/50816"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2011-5133",
"datePublished": "2012-08-30T22:00:00Z",
"dateReserved": "2012-08-30T00:00:00Z",
"dateUpdated": "2024-09-17T00:51:26.797Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-8973 (GCVE-0-2015-8973)
Vulnerability from cvelistv5
Published
2017-01-31 22:00
Modified
2024-08-06 08:36
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
xmlhttp.php in MyBB (aka MyBulletinBoard) before 1.6.18 and 1.8.x before 1.8.6 and MyBB Merge System before 1.8.6 allows remote attackers to bypass intended access restrictions via vectors related to the forum password.
References
| ► | URL | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T08:36:30.417Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://blog.mybb.com/2015/09/07/mybb-1-8-6-1-6-18-merge-system-1-8-6-release/"
},
{
"name": "94397",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/94397"
},
{
"name": "[oss-security] 20161117 Re: CVE request: MyBB multiple vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/18/1"
},
{
"name": "[oss-security] 20161110 CVE request: MyBB multiple vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/10/8"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-09-07T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "xmlhttp.php in MyBB (aka MyBulletinBoard) before 1.6.18 and 1.8.x before 1.8.6 and MyBB Merge System before 1.8.6 allows remote attackers to bypass intended access restrictions via vectors related to the forum password."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-02-01T10:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://blog.mybb.com/2015/09/07/mybb-1-8-6-1-6-18-merge-system-1-8-6-release/"
},
{
"name": "94397",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/94397"
},
{
"name": "[oss-security] 20161117 Re: CVE request: MyBB multiple vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/18/1"
},
{
"name": "[oss-security] 20161110 CVE request: MyBB multiple vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/10/8"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-8973",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "xmlhttp.php in MyBB (aka MyBulletinBoard) before 1.6.18 and 1.8.x before 1.8.6 and MyBB Merge System before 1.8.6 allows remote attackers to bypass intended access restrictions via vectors related to the forum password."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://blog.mybb.com/2015/09/07/mybb-1-8-6-1-6-18-merge-system-1-8-6-release/",
"refsource": "CONFIRM",
"url": "https://blog.mybb.com/2015/09/07/mybb-1-8-6-1-6-18-merge-system-1-8-6-release/"
},
{
"name": "94397",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/94397"
},
{
"name": "[oss-security] 20161117 Re: CVE request: MyBB multiple vulnerabilities",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2016/11/18/1"
},
{
"name": "[oss-security] 20161110 CVE request: MyBB multiple vulnerabilities",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2016/11/10/8"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-8973",
"datePublished": "2017-01-31T22:00:00",
"dateReserved": "2016-11-17T00:00:00",
"dateUpdated": "2024-08-06T08:36:30.417Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-8977 (GCVE-0-2015-8977)
Vulnerability from cvelistv5
Published
2017-01-31 22:00
Modified
2024-08-06 08:36
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
MyBB (aka MyBulletinBoard) before 1.6.18 and 1.8.x before 1.8.6 and MyBB Merge System before 1.8.6 allow remote attackers to obtain the installation path via vectors involving error log files.
References
| ► | URL | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T08:36:30.817Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://blog.mybb.com/2015/09/07/mybb-1-8-6-1-6-18-merge-system-1-8-6-release/"
},
{
"name": "94397",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/94397"
},
{
"name": "[oss-security] 20161117 Re: CVE request: MyBB multiple vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/18/1"
},
{
"name": "[oss-security] 20161110 CVE request: MyBB multiple vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/10/8"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-09-07T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "MyBB (aka MyBulletinBoard) before 1.6.18 and 1.8.x before 1.8.6 and MyBB Merge System before 1.8.6 allow remote attackers to obtain the installation path via vectors involving error log files."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-02-02T12:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://blog.mybb.com/2015/09/07/mybb-1-8-6-1-6-18-merge-system-1-8-6-release/"
},
{
"name": "94397",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/94397"
},
{
"name": "[oss-security] 20161117 Re: CVE request: MyBB multiple vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/18/1"
},
{
"name": "[oss-security] 20161110 CVE request: MyBB multiple vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/10/8"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-8977",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "MyBB (aka MyBulletinBoard) before 1.6.18 and 1.8.x before 1.8.6 and MyBB Merge System before 1.8.6 allow remote attackers to obtain the installation path via vectors involving error log files."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://blog.mybb.com/2015/09/07/mybb-1-8-6-1-6-18-merge-system-1-8-6-release/",
"refsource": "CONFIRM",
"url": "https://blog.mybb.com/2015/09/07/mybb-1-8-6-1-6-18-merge-system-1-8-6-release/"
},
{
"name": "94397",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/94397"
},
{
"name": "[oss-security] 20161117 Re: CVE request: MyBB multiple vulnerabilities",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2016/11/18/1"
},
{
"name": "[oss-security] 20161110 CVE request: MyBB multiple vulnerabilities",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2016/11/10/8"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-8977",
"datePublished": "2017-01-31T22:00:00",
"dateReserved": "2016-11-17T00:00:00",
"dateUpdated": "2024-08-06T08:36:30.817Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2013-7275 (GCVE-0-2013-7275)
Vulnerability from cvelistv5
Published
2014-01-08 15:00
Modified
2024-09-16 19:45
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Cross-site scripting (XSS) vulnerability in misc.php in MyBB (aka MyBulletinBoard) before 1.6.12 allows remote attackers to inject arbitrary web script or HTML via the editor parameter in a smilie list popup.
References
| ► | URL | Tags | |||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T18:01:20.338Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/mybb/mybb/commit/6212bc954d72caf591e141ca36b8df964387bee8"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://blog.mybb.com/2013/12/16/mybb-1-6-12-released-security-maintenance-release"
},
{
"name": "55945",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/55945"
},
{
"name": "64570",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/64570"
},
{
"name": "101545",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/101545"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in misc.php in MyBB (aka MyBulletinBoard) before 1.6.12 allows remote attackers to inject arbitrary web script or HTML via the editor parameter in a smilie list popup."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-01-08T15:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mybb/mybb/commit/6212bc954d72caf591e141ca36b8df964387bee8"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://blog.mybb.com/2013/12/16/mybb-1-6-12-released-security-maintenance-release"
},
{
"name": "55945",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/55945"
},
{
"name": "64570",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/64570"
},
{
"name": "101545",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/101545"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2013-7275",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in misc.php in MyBB (aka MyBulletinBoard) before 1.6.12 allows remote attackers to inject arbitrary web script or HTML via the editor parameter in a smilie list popup."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/mybb/mybb/commit/6212bc954d72caf591e141ca36b8df964387bee8",
"refsource": "CONFIRM",
"url": "https://github.com/mybb/mybb/commit/6212bc954d72caf591e141ca36b8df964387bee8"
},
{
"name": "http://blog.mybb.com/2013/12/16/mybb-1-6-12-released-security-maintenance-release",
"refsource": "CONFIRM",
"url": "http://blog.mybb.com/2013/12/16/mybb-1-6-12-released-security-maintenance-release"
},
{
"name": "55945",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/55945"
},
{
"name": "64570",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/64570"
},
{
"name": "101545",
"refsource": "OSVDB",
"url": "http://osvdb.org/101545"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2013-7275",
"datePublished": "2014-01-08T15:00:00Z",
"dateReserved": "2014-01-08T00:00:00Z",
"dateUpdated": "2024-09-16T19:45:42.403Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2008-4930 (GCVE-0-2008-4930)
Vulnerability from cvelistv5
Published
2008-11-04 20:00
Modified
2024-09-16 23:10
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
MyBB (aka MyBulletinBoard) 1.4.2 does not properly handle an uploaded file with a nonstandard file type that contains HTML sequences, which allows remote attackers to cause that file to be processed as HTML by Internet Explorer's content inspection, aka "Incomplete protection against MIME-sniffing." NOTE: this could be leveraged for XSS and other attacks.
References
| ► | URL | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T10:31:28.282Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "20081027 MyBB 1.4.2: Multiple Vulnerabilties",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://archives.neohapsis.com/archives/bugtraq/2008-10/0203.html"
},
{
"name": "20081027 MyBB 1.4.2: Multiple Vulnerabilties",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://archives.neohapsis.com/archives/fulldisclosure/2008-10/0472.html"
},
{
"name": "[oss-security] 20081101 CVE request (Fwd: MyBB 1.4.2: Multiple Vulnerabilties)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2008/11/01/2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "MyBB (aka MyBulletinBoard) 1.4.2 does not properly handle an uploaded file with a nonstandard file type that contains HTML sequences, which allows remote attackers to cause that file to be processed as HTML by Internet Explorer\u0027s content inspection, aka \"Incomplete protection against MIME-sniffing.\" NOTE: this could be leveraged for XSS and other attacks."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2008-11-04T20:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "20081027 MyBB 1.4.2: Multiple Vulnerabilties",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://archives.neohapsis.com/archives/bugtraq/2008-10/0203.html"
},
{
"name": "20081027 MyBB 1.4.2: Multiple Vulnerabilties",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://archives.neohapsis.com/archives/fulldisclosure/2008-10/0472.html"
},
{
"name": "[oss-security] 20081101 CVE request (Fwd: MyBB 1.4.2: Multiple Vulnerabilties)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2008/11/01/2"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2008-4930",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "MyBB (aka MyBulletinBoard) 1.4.2 does not properly handle an uploaded file with a nonstandard file type that contains HTML sequences, which allows remote attackers to cause that file to be processed as HTML by Internet Explorer\u0027s content inspection, aka \"Incomplete protection against MIME-sniffing.\" NOTE: this could be leveraged for XSS and other attacks."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "20081027 MyBB 1.4.2: Multiple Vulnerabilties",
"refsource": "BUGTRAQ",
"url": "http://archives.neohapsis.com/archives/bugtraq/2008-10/0203.html"
},
{
"name": "20081027 MyBB 1.4.2: Multiple Vulnerabilties",
"refsource": "FULLDISC",
"url": "http://archives.neohapsis.com/archives/fulldisclosure/2008-10/0472.html"
},
{
"name": "[oss-security] 20081101 CVE request (Fwd: MyBB 1.4.2: Multiple Vulnerabilties)",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2008/11/01/2"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2008-4930",
"datePublished": "2008-11-04T20:00:00Z",
"dateReserved": "2008-11-04T00:00:00Z",
"dateUpdated": "2024-09-16T23:10:27.783Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-6844 (GCVE-0-2018-6844)
Vulnerability from cvelistv5
Published
2018-02-08 07:00
Modified
2024-08-05 06:17
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
MyBB 1.8.14 has XSS via the Title or Description field on the Edit Forum screen.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T06:17:15.847Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://websecnerd.blogspot.com/2018/02/mybb-forum-1.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2018-02-08T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "MyBB 1.8.14 has XSS via the Title or Description field on the Edit Forum screen."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-02-08T06:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://websecnerd.blogspot.com/2018/02/mybb-forum-1.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-6844",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "MyBB 1.8.14 has XSS via the Title or Description field on the Edit Forum screen."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://websecnerd.blogspot.com/2018/02/mybb-forum-1.html",
"refsource": "MISC",
"url": "https://websecnerd.blogspot.com/2018/02/mybb-forum-1.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-6844",
"datePublished": "2018-02-08T07:00:00",
"dateReserved": "2018-02-08T00:00:00",
"dateUpdated": "2024-08-05T06:17:15.847Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-3578 (GCVE-0-2019-3578)
Vulnerability from cvelistv5
Published
2019-06-06 18:13
Modified
2024-08-04 19:12
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
MyBB 1.8.19 has XSS in the resetpassword function.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T19:12:09.635Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://blog.mybb.com/2019/02/27/mybb-1-8-20-released-security-maintenance-release/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://blog.mybb.com/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "MyBB 1.8.19 has XSS in the resetpassword function."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-06-06T18:13:52",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://blog.mybb.com/2019/02/27/mybb-1-8-20-released-security-maintenance-release/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://blog.mybb.com/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-3578",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "MyBB 1.8.19 has XSS in the resetpassword function."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://blog.mybb.com/2019/02/27/mybb-1-8-20-released-security-maintenance-release/",
"refsource": "CONFIRM",
"url": "https://blog.mybb.com/2019/02/27/mybb-1-8-20-released-security-maintenance-release/"
},
{
"name": "https://blog.mybb.com/",
"refsource": "MISC",
"url": "https://blog.mybb.com/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-3578",
"datePublished": "2019-06-06T18:13:52",
"dateReserved": "2019-01-02T00:00:00",
"dateUpdated": "2024-08-04T19:12:09.635Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-27949 (GCVE-0-2021-27949)
Vulnerability from cvelistv5
Published
2021-03-15 17:19
Modified
2024-08-03 21:33
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Cross-site Scripting vulnerability in MyBB before 1.8.26 via Custom moderator tools.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:33:17.251Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/mybb/mybb/security/advisories/GHSA-cmmr-39v8-8rx2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site Scripting vulnerability in MyBB before 1.8.26 via Custom moderator tools."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-03-15T17:19:11",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mybb/mybb/security/advisories/GHSA-cmmr-39v8-8rx2"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-27949",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site Scripting vulnerability in MyBB before 1.8.26 via Custom moderator tools."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/mybb/mybb/security/advisories/GHSA-cmmr-39v8-8rx2",
"refsource": "MISC",
"url": "https://github.com/mybb/mybb/security/advisories/GHSA-cmmr-39v8-8rx2"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-27949",
"datePublished": "2021-03-15T17:19:11",
"dateReserved": "2021-03-04T00:00:00",
"dateUpdated": "2024-08-03T21:33:17.251Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-4552 (GCVE-0-2015-4552)
Vulnerability from cvelistv5
Published
2015-09-03 17:00
Modified
2024-08-06 06:18
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Cross-site scripting (XSS) vulnerability in the quick edit function in xmlhttp.php in MyBB (aka MyBulletinBoard) before 1.8.5 allows remote attackers to inject arbitrary web script or HTML via the content of a post.
References
| ► | URL | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T06:18:12.065Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "1033471",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1033471"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://adrianhayter.com/exploits.php"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://blog.mybb.com/2015/05/27/mybb-1-8-5-1-6-17-merge-system-1-8-5-release/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-05-27T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the quick edit function in xmlhttp.php in MyBB (aka MyBulletinBoard) before 1.8.5 allows remote attackers to inject arbitrary web script or HTML via the content of a post."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2016-12-20T16:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "1033471",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id/1033471"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://adrianhayter.com/exploits.php"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://blog.mybb.com/2015/05/27/mybb-1-8-5-1-6-17-merge-system-1-8-5-release/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-4552",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in the quick edit function in xmlhttp.php in MyBB (aka MyBulletinBoard) before 1.8.5 allows remote attackers to inject arbitrary web script or HTML via the content of a post."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "1033471",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id/1033471"
},
{
"name": "http://adrianhayter.com/exploits.php",
"refsource": "MISC",
"url": "http://adrianhayter.com/exploits.php"
},
{
"name": "http://blog.mybb.com/2015/05/27/mybb-1-8-5-1-6-17-merge-system-1-8-5-release/",
"refsource": "CONFIRM",
"url": "http://blog.mybb.com/2015/05/27/mybb-1-8-5-1-6-17-merge-system-1-8-5-release/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-4552",
"datePublished": "2015-09-03T17:00:00",
"dateReserved": "2015-06-14T00:00:00",
"dateUpdated": "2024-08-06T06:18:12.065Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-43281 (GCVE-0-2021-43281)
Vulnerability from cvelistv5
Published
2021-11-04 17:42
Modified
2024-08-04 03:55
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
MyBB before 1.8.29 allows Remote Code Injection by an admin with the "Can manage settings?" permission. The Admin CP's Settings management module does not validate setting types correctly on insertion and update, making it possible to add settings of supported type "php" with PHP code, executed on Change Settings pages.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T03:55:28.469Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/mybb/mybb/security/advisories/GHSA-8gxx-vmr9-h39p"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "MyBB before 1.8.29 allows Remote Code Injection by an admin with the \"Can manage settings?\" permission. The Admin CP\u0027s Settings management module does not validate setting types correctly on insertion and update, making it possible to add settings of supported type \"php\" with PHP code, executed on Change Settings pages."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-11-04T17:42:34",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mybb/mybb/security/advisories/GHSA-8gxx-vmr9-h39p"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-43281",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "MyBB before 1.8.29 allows Remote Code Injection by an admin with the \"Can manage settings?\" permission. The Admin CP\u0027s Settings management module does not validate setting types correctly on insertion and update, making it possible to add settings of supported type \"php\" with PHP code, executed on Change Settings pages."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/mybb/mybb/security/advisories/GHSA-8gxx-vmr9-h39p",
"refsource": "CONFIRM",
"url": "https://github.com/mybb/mybb/security/advisories/GHSA-8gxx-vmr9-h39p"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-43281",
"datePublished": "2021-11-04T17:42:34",
"dateReserved": "2021-11-02T00:00:00",
"dateUpdated": "2024-08-04T03:55:28.469Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-43708 (GCVE-0-2022-43708)
Vulnerability from cvelistv5
Published
2022-11-21 00:00
Modified
2025-04-29 14:15
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
MyBB 1.8.31 has a (issue 2 of 2) cross-site scripting (XSS) vulnerabilities in the post Attachments interface allow attackers to inject HTML by persuading the user to upload a file with specially crafted name
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T13:40:06.325Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mybb.com"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/mybb/mybb/security/advisories/GHSA-p9m7-9qv4-x93w"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-43708",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-29T14:13:38.459675Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-29T14:15:07.099Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "MyBB 1.8.31 has a (issue 2 of 2) cross-site scripting (XSS) vulnerabilities in the post Attachments interface allow attackers to inject HTML by persuading the user to upload a file with specially crafted name"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-21T00:00:00.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://mybb.com"
},
{
"url": "https://github.com/mybb/mybb/security/advisories/GHSA-p9m7-9qv4-x93w"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-43708",
"datePublished": "2022-11-21T00:00:00.000Z",
"dateReserved": "2022-10-24T00:00:00.000Z",
"dateUpdated": "2025-04-29T14:15:07.099Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-2352 (GCVE-0-2015-2352)
Vulnerability from cvelistv5
Published
2015-03-19 14:00
Modified
2024-08-06 05:10
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
The cache handler in MyBB (aka MyBulletinBoard) before 1.8.4 does not properly check the encoding of input to the var_export function, which allows attackers to have an unspecified impact via unknown vectors.
References
| ► | URL | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T05:10:16.295Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://blog.mybb.com/2015/02/15/mybb-1-8-4-released-feature-update-security-maintenance-release/"
},
{
"name": "73257",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/73257"
},
{
"name": "1031953",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1031953"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-02-15T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The cache handler in MyBB (aka MyBulletinBoard) before 1.8.4 does not properly check the encoding of input to the var_export function, which allows attackers to have an unspecified impact via unknown vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2016-11-30T18:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://blog.mybb.com/2015/02/15/mybb-1-8-4-released-feature-update-security-maintenance-release/"
},
{
"name": "73257",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/73257"
},
{
"name": "1031953",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id/1031953"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-2352",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The cache handler in MyBB (aka MyBulletinBoard) before 1.8.4 does not properly check the encoding of input to the var_export function, which allows attackers to have an unspecified impact via unknown vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://blog.mybb.com/2015/02/15/mybb-1-8-4-released-feature-update-security-maintenance-release/",
"refsource": "CONFIRM",
"url": "http://blog.mybb.com/2015/02/15/mybb-1-8-4-released-feature-update-security-maintenance-release/"
},
{
"name": "73257",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/73257"
},
{
"name": "1031953",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id/1031953"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-2352",
"datePublished": "2015-03-19T14:00:00",
"dateReserved": "2015-03-19T00:00:00",
"dateUpdated": "2024-08-06T05:10:16.295Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-23335 (GCVE-0-2024-23335)
Vulnerability from cvelistv5
Published
2024-05-01 06:27
Modified
2024-08-01 22:59
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-20 - Improper Input Validation
Summary
MyBB is a free and open source forum software. The backup management module of the Admin CP may accept `.htaccess` as the name of the backup file to be deleted, which may expose the stored backup files over HTTP on Apache servers. MyBB 1.8.38 resolves this issue. Users are advised to upgrade. There are no known workarounds for this vulnerability
References
| ► | URL | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-23335",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-03T14:28:16.476681Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-05T17:22:58.738Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T22:59:32.211Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/mybb/mybb/security/advisories/GHSA-94xr-g4ww-j47r",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/mybb/mybb/security/advisories/GHSA-94xr-g4ww-j47r"
},
{
"name": "https://github.com/mybb/mybb/commit/450259e501b94c9d483efb167cb2bf875605e111.patch",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/mybb/mybb/commit/450259e501b94c9d483efb167cb2bf875605e111.patch"
},
{
"name": "https://mybb.com/versions/1.8.38",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://mybb.com/versions/1.8.38"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "mybb",
"vendor": "mybb",
"versions": [
{
"status": "affected",
"version": "\u003c 1.8.38"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "MyBB is a free and open source forum software. The backup management module of the Admin CP may accept `.htaccess` as the name of the backup file to be deleted, which may expose the stored backup files over HTTP on Apache servers. MyBB 1.8.38 resolves this issue. Users are advised to upgrade. There are no known workarounds for this vulnerability"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-01T06:27:42.162Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mybb/mybb/security/advisories/GHSA-94xr-g4ww-j47r",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mybb/mybb/security/advisories/GHSA-94xr-g4ww-j47r"
},
{
"name": "https://github.com/mybb/mybb/commit/450259e501b94c9d483efb167cb2bf875605e111.patch",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mybb/mybb/commit/450259e501b94c9d483efb167cb2bf875605e111.patch"
},
{
"name": "https://mybb.com/versions/1.8.38",
"tags": [
"x_refsource_MISC"
],
"url": "https://mybb.com/versions/1.8.38"
}
],
"source": {
"advisory": "GHSA-94xr-g4ww-j47r",
"discovery": "UNKNOWN"
},
"title": "Backups directory .htaccess deletion in. MyBB"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-23335",
"datePublished": "2024-05-01T06:27:42.162Z",
"dateReserved": "2024-01-15T15:19:19.443Z",
"dateUpdated": "2024-08-01T22:59:32.211Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-2335 (GCVE-0-2015-2335)
Vulnerability from cvelistv5
Published
2015-03-18 14:00
Modified
2024-08-06 05:10
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
A JSON library in MyBB (aka MyBulletinBoard) before 1.8.4 allows remote attackers to obtain the installation path via unknown vectors.
References
| ► | URL | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T05:10:16.275Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://blog.mybb.com/2015/02/15/mybb-1-8-4-released-feature-update-security-maintenance-release/"
},
{
"name": "73216",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/73216"
},
{
"name": "1031953",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1031953"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-02-15T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "A JSON library in MyBB (aka MyBulletinBoard) before 1.8.4 allows remote attackers to obtain the installation path via unknown vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2016-11-30T18:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://blog.mybb.com/2015/02/15/mybb-1-8-4-released-feature-update-security-maintenance-release/"
},
{
"name": "73216",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/73216"
},
{
"name": "1031953",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id/1031953"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-2335",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A JSON library in MyBB (aka MyBulletinBoard) before 1.8.4 allows remote attackers to obtain the installation path via unknown vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://blog.mybb.com/2015/02/15/mybb-1-8-4-released-feature-update-security-maintenance-release/",
"refsource": "CONFIRM",
"url": "http://blog.mybb.com/2015/02/15/mybb-1-8-4-released-feature-update-security-maintenance-release/"
},
{
"name": "73216",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/73216"
},
{
"name": "1031953",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id/1031953"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-2335",
"datePublished": "2015-03-18T14:00:00",
"dateReserved": "2015-03-18T00:00:00",
"dateUpdated": "2024-08-06T05:10:16.275Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2010-5096 (GCVE-0-2010-5096)
Vulnerability from cvelistv5
Published
2012-08-13 23:00
Modified
2024-09-17 04:10
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Multiple SQL injection vulnerabilities in MyBB (aka MyBulletinBoard) before 1.6.1 allow remote attackers to execute arbitrary SQL commands via the keywords parameter in a (1) do_search action to search.php or (2) do_stuff action to private.php. NOTE: the vendor disputes this issue, saying "Although this doesn't lead to an SQL injection, it does provide a general MyBB SQL error.
References
| ► | URL | Tags | ||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2010-5096",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-08T15:52:23.724097Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T18:44:49.399Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "ADP Container"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-07T04:09:39.121Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "70014",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://www.osvdb.org/70014"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://dev.mybb.com/issues/1330"
},
{
"name": "[oss-security] 20120508 Re: CVE-request: MyBB before 1.6.1",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2012/05/08/7"
},
{
"name": "70013",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://www.osvdb.org/70013"
},
{
"name": "45565",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/45565"
},
{
"name": "[oss-security] 20120325 Re: CVE-request: MyBB 1.6 \u003c= SQL Injection",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2012/03/25/1"
},
{
"name": "[oss-security] 20120508 CVE-request: MyBB before 1.6.1",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2012/05/08/3"
},
{
"name": "[oss-security] 20120323 CVE-request: MyBB 1.6 \u003c= SQL Injection",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2012/03/23/4"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Multiple SQL injection vulnerabilities in MyBB (aka MyBulletinBoard) before 1.6.1 allow remote attackers to execute arbitrary SQL commands via the keywords parameter in a (1) do_search action to search.php or (2) do_stuff action to private.php. NOTE: the vendor disputes this issue, saying \"Although this doesn\u0027t lead to an SQL injection, it does provide a general MyBB SQL error."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2012-08-13T23:00:00Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "70014",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://www.osvdb.org/70014"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://dev.mybb.com/issues/1330"
},
{
"name": "[oss-security] 20120508 Re: CVE-request: MyBB before 1.6.1",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2012/05/08/7"
},
{
"name": "70013",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://www.osvdb.org/70013"
},
{
"name": "45565",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/45565"
},
{
"name": "[oss-security] 20120325 Re: CVE-request: MyBB 1.6 \u003c= SQL Injection",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2012/03/25/1"
},
{
"name": "[oss-security] 20120508 CVE-request: MyBB before 1.6.1",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2012/05/08/3"
},
{
"name": "[oss-security] 20120323 CVE-request: MyBB 1.6 \u003c= SQL Injection",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2012/03/23/4"
}
],
"tags": [
"disputed"
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2010-5096",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "** DISPUTED ** Multiple SQL injection vulnerabilities in MyBB (aka MyBulletinBoard) before 1.6.1 allow remote attackers to execute arbitrary SQL commands via the keywords parameter in a (1) do_search action to search.php or (2) do_stuff action to private.php. NOTE: the vendor disputes this issue, saying \"Although this doesn\u0027t lead to an SQL injection, it does provide a general MyBB SQL error.\""
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "70014",
"refsource": "OSVDB",
"url": "http://www.osvdb.org/70014"
},
{
"name": "http://dev.mybb.com/issues/1330",
"refsource": "MISC",
"url": "http://dev.mybb.com/issues/1330"
},
{
"name": "[oss-security] 20120508 Re: CVE-request: MyBB before 1.6.1",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2012/05/08/7"
},
{
"name": "70013",
"refsource": "OSVDB",
"url": "http://www.osvdb.org/70013"
},
{
"name": "45565",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/45565"
},
{
"name": "[oss-security] 20120325 Re: CVE-request: MyBB 1.6 \u003c= SQL Injection",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2012/03/25/1"
},
{
"name": "[oss-security] 20120508 CVE-request: MyBB before 1.6.1",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2012/05/08/3"
},
{
"name": "[oss-security] 20120323 CVE-request: MyBB 1.6 \u003c= SQL Injection",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2012/03/23/4"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2010-5096",
"datePublished": "2012-08-13T23:00:00Z",
"dateReserved": "2012-04-30T00:00:00Z",
"dateUpdated": "2024-09-17T04:10:28.021Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-16781 (GCVE-0-2017-16781)
Vulnerability from cvelistv5
Published
2017-11-10 23:00
Modified
2024-08-05 20:35
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
The installer in MyBB before 1.8.13 has XSS.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T20:35:21.217Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://blog.mybb.com/2017/11/07/mybb-1-8-13-released-security-maintenance-release/"
},
{
"name": "43137",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/43137/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-11-10T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The installer in MyBB before 1.8.13 has XSS."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-11-20T10:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://blog.mybb.com/2017/11/07/mybb-1-8-13-released-security-maintenance-release/"
},
{
"name": "43137",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "https://www.exploit-db.com/exploits/43137/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-16781",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The installer in MyBB before 1.8.13 has XSS."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://blog.mybb.com/2017/11/07/mybb-1-8-13-released-security-maintenance-release/",
"refsource": "CONFIRM",
"url": "https://blog.mybb.com/2017/11/07/mybb-1-8-13-released-security-maintenance-release/"
},
{
"name": "43137",
"refsource": "EXPLOIT-DB",
"url": "https://www.exploit-db.com/exploits/43137/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-16781",
"datePublished": "2017-11-10T23:00:00",
"dateReserved": "2017-11-10T00:00:00",
"dateUpdated": "2024-08-05T20:35:21.217Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-9404 (GCVE-0-2016-9404)
Vulnerability from cvelistv5
Published
2017-01-31 22:00
Modified
2024-08-06 02:50
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Cross-site scripting (XSS) vulnerability in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 might allow remote attackers to inject arbitrary web script or HTML via vectors related to login.
References
| ► | URL | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T02:50:38.353Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "94395",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/94395"
},
{
"name": "[oss-security] 20161117 Re: CVE request: MyBB multiple vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/18/1"
},
{
"name": "[oss-security] 20161110 CVE request: MyBB multiple vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/10/8"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://blog.mybb.com/2016/03/11/mybb-1-8-7-merge-system-1-8-7-release/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-03-11T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 might allow remote attackers to inject arbitrary web script or HTML via vectors related to login."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-02-01T10:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "94395",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/94395"
},
{
"name": "[oss-security] 20161117 Re: CVE request: MyBB multiple vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/18/1"
},
{
"name": "[oss-security] 20161110 CVE request: MyBB multiple vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/10/8"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://blog.mybb.com/2016/03/11/mybb-1-8-7-merge-system-1-8-7-release/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-9404",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 might allow remote attackers to inject arbitrary web script or HTML via vectors related to login."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "94395",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/94395"
},
{
"name": "[oss-security] 20161117 Re: CVE request: MyBB multiple vulnerabilities",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2016/11/18/1"
},
{
"name": "[oss-security] 20161110 CVE request: MyBB multiple vulnerabilities",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2016/11/10/8"
},
{
"name": "https://blog.mybb.com/2016/03/11/mybb-1-8-7-merge-system-1-8-7-release/",
"refsource": "CONFIRM",
"url": "https://blog.mybb.com/2016/03/11/mybb-1-8-7-merge-system-1-8-7-release/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-9404",
"datePublished": "2017-01-31T22:00:00",
"dateReserved": "2016-11-17T00:00:00",
"dateUpdated": "2024-08-06T02:50:38.353Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-52702 (GCVE-0-2024-52702)
Vulnerability from cvelistv5
Published
2024-11-20 00:00
Modified
2024-11-20 20:57
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
A stored cross-site scripting (XSS) vulnerability in the component install\index.php of MyBB v1.8.38 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Website Name parameter.
References
| ► | URL | Tags |
|---|---|---|
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:mybb:mybb:1.8.38:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "mybb",
"vendor": "mybb",
"versions": [
{
"status": "affected",
"version": "1.8.38"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-52702",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-20T20:57:08.009448Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-20T20:57:10.751Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A stored cross-site scripting (XSS) vulnerability in the component install\\index.php of MyBB v1.8.38 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Website Name parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-20T20:20:23.312729",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/mybb/mybb/issues/4859"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-52702",
"datePublished": "2024-11-20T00:00:00",
"dateReserved": "2024-11-15T00:00:00",
"dateUpdated": "2024-11-20T20:57:10.751Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2012-2326 (GCVE-0-2012-2326)
Vulnerability from cvelistv5
Published
2012-08-13 18:00
Modified
2024-09-16 16:37
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Cross-site scripting (XSS) vulnerability in the Admin Control Panel (ACP) in MyBB (aka MyBulletinBoard) before 1.6.7 allows remote administrators to inject arbitrary web script or HTML via a malformed file name in an orphaned attachment.
References
| ► | URL | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T19:34:23.580Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "53417",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/53417"
},
{
"name": "[oss-security] 20120507 CVE request: mybb before 1.6.7",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2012/05/07/13"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://blog.mybb.com/2012/04/01/mybb-1-6-7-update-1-8-development/"
},
{
"name": "[oss-security] 20120507 Re: CVE request: mybb before 1.6.7",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2012/05/07/14"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the Admin Control Panel (ACP) in MyBB (aka MyBulletinBoard) before 1.6.7 allows remote administrators to inject arbitrary web script or HTML via a malformed file name in an orphaned attachment."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2012-08-13T18:00:00Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "53417",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/53417"
},
{
"name": "[oss-security] 20120507 CVE request: mybb before 1.6.7",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2012/05/07/13"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://blog.mybb.com/2012/04/01/mybb-1-6-7-update-1-8-development/"
},
{
"name": "[oss-security] 20120507 Re: CVE request: mybb before 1.6.7",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2012/05/07/14"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2012-2326",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in the Admin Control Panel (ACP) in MyBB (aka MyBulletinBoard) before 1.6.7 allows remote administrators to inject arbitrary web script or HTML via a malformed file name in an orphaned attachment."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "53417",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/53417"
},
{
"name": "[oss-security] 20120507 CVE request: mybb before 1.6.7",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2012/05/07/13"
},
{
"name": "http://blog.mybb.com/2012/04/01/mybb-1-6-7-update-1-8-development/",
"refsource": "CONFIRM",
"url": "http://blog.mybb.com/2012/04/01/mybb-1-6-7-update-1-8-development/"
},
{
"name": "[oss-security] 20120507 Re: CVE request: mybb before 1.6.7",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2012/05/07/14"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2012-2326",
"datePublished": "2012-08-13T18:00:00Z",
"dateReserved": "2012-04-19T00:00:00Z",
"dateUpdated": "2024-09-16T16:37:30.858Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-9418 (GCVE-0-2016-9418)
Vulnerability from cvelistv5
Published
2017-01-31 22:00
Modified
2024-08-06 02:50
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
MyBB (aka MyBulletinBoard) before 1.8.8 on Windows and MyBB Merge System before 1.8.8 on Windows might allow remote attackers to obtain sensitive information from ACP backups via vectors involving a short name.
References
| ► | URL | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T02:50:38.333Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://blog.mybb.com/2016/10/17/mybb-1-8-8-merge-system-1-8-8-release/"
},
{
"name": "[oss-security] 20161117 Re: CVE request: MyBB multiple vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/18/1"
},
{
"name": "[oss-security] 20161110 CVE request: MyBB multiple vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/10/8"
},
{
"name": "94396",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/94396"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-10-17T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "MyBB (aka MyBulletinBoard) before 1.8.8 on Windows and MyBB Merge System before 1.8.8 on Windows might allow remote attackers to obtain sensitive information from ACP backups via vectors involving a short name."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-02-01T10:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://blog.mybb.com/2016/10/17/mybb-1-8-8-merge-system-1-8-8-release/"
},
{
"name": "[oss-security] 20161117 Re: CVE request: MyBB multiple vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/18/1"
},
{
"name": "[oss-security] 20161110 CVE request: MyBB multiple vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/10/8"
},
{
"name": "94396",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/94396"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-9418",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "MyBB (aka MyBulletinBoard) before 1.8.8 on Windows and MyBB Merge System before 1.8.8 on Windows might allow remote attackers to obtain sensitive information from ACP backups via vectors involving a short name."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://blog.mybb.com/2016/10/17/mybb-1-8-8-merge-system-1-8-8-release/",
"refsource": "CONFIRM",
"url": "https://blog.mybb.com/2016/10/17/mybb-1-8-8-merge-system-1-8-8-release/"
},
{
"name": "[oss-security] 20161117 Re: CVE request: MyBB multiple vulnerabilities",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2016/11/18/1"
},
{
"name": "[oss-security] 20161110 CVE request: MyBB multiple vulnerabilities",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2016/11/10/8"
},
{
"name": "94396",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/94396"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-9418",
"datePublished": "2017-01-31T22:00:00",
"dateReserved": "2016-11-17T00:00:00",
"dateUpdated": "2024-08-06T02:50:38.333Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-28467 (GCVE-0-2023-28467)
Vulnerability from cvelistv5
Published
2023-05-22 00:00
Modified
2025-01-21 15:26
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
In MyBB before 1.8.34, there is XSS in the User CP module via the user email field.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T12:38:25.477Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://mybb.com"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/mybb/mybb/security/advisories/GHSA-3q8x-9fh2-v646"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-28467",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-21T15:25:35.927025Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-21T15:26:10.149Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In MyBB before 1.8.34, there is XSS in the User CP module via the user email field."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-05-22T00:00:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://mybb.com"
},
{
"url": "https://github.com/mybb/mybb/security/advisories/GHSA-3q8x-9fh2-v646"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-28467",
"datePublished": "2023-05-22T00:00:00",
"dateReserved": "2023-03-15T00:00:00",
"dateUpdated": "2025-01-21T15:26:10.149Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-29460 (GCVE-0-2025-29460)
Vulnerability from cvelistv5
Published
2025-04-17 00:00
Modified
2025-04-23 13:04
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
An issue in MyBB 1.8.38 allows a remote attacker to obtain sensitive information via the Add Mycode function. NOTE: the Supplier disputes this because of the allowed actions of Board administrators and because of SSRF mitigation.
References
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-29460",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-18T14:01:22.256800Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-18T14:02:08.893Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue in MyBB 1.8.38 allows a remote attacker to obtain sensitive information via the Add Mycode function. NOTE: the Supplier disputes this because of the allowed actions of Board administrators and because of SSRF mitigation."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T13:04:01.605Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.yuque.com/morysummer/vx41bz/fgg059stiog457ch"
},
{
"url": "https://docs.mybb.com/1.8/administration/security/protection/#limit-access-to-private-hosts-and-ip-addresses"
}
],
"tags": [
"disputed"
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-29460",
"datePublished": "2025-04-17T00:00:00.000Z",
"dateReserved": "2025-03-11T00:00:00.000Z",
"dateUpdated": "2025-04-23T13:04:01.605Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-9240 (GCVE-0-2014-9240)
Vulnerability from cvelistv5
Published
2014-12-03 21:00
Modified
2024-09-17 03:03
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
SQL injection vulnerability in member.php in MyBB (aka MyBulletinBoard) 1.8.x before 1.8.2 allows remote attackers to execute arbitrary SQL commands via the question_id parameter in a do_register action.
References
| ► | URL | Tags |
|---|---|---|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T13:40:25.093Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://blog.mybb.com/2014/11/13/mybb-1-8-2-released-security-release/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/129109/MyBB-1.8.1-Cross-Site-Scripting-SQL-Injection.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in member.php in MyBB (aka MyBulletinBoard) 1.8.x before 1.8.2 allows remote attackers to execute arbitrary SQL commands via the question_id parameter in a do_register action."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-12-03T21:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://blog.mybb.com/2014/11/13/mybb-1-8-2-released-security-release/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/129109/MyBB-1.8.1-Cross-Site-Scripting-SQL-Injection.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-9240",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SQL injection vulnerability in member.php in MyBB (aka MyBulletinBoard) 1.8.x before 1.8.2 allows remote attackers to execute arbitrary SQL commands via the question_id parameter in a do_register action."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://blog.mybb.com/2014/11/13/mybb-1-8-2-released-security-release/",
"refsource": "CONFIRM",
"url": "http://blog.mybb.com/2014/11/13/mybb-1-8-2-released-security-release/"
},
{
"name": "http://packetstormsecurity.com/files/129109/MyBB-1.8.1-Cross-Site-Scripting-SQL-Injection.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/129109/MyBB-1.8.1-Cross-Site-Scripting-SQL-Injection.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2014-9240",
"datePublished": "2014-12-03T21:00:00Z",
"dateReserved": "2014-12-03T00:00:00Z",
"dateUpdated": "2024-09-17T03:03:49.182Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-19202 (GCVE-0-2018-19202)
Vulnerability from cvelistv5
Published
2019-04-11 20:00
Modified
2024-08-05 11:30
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
A reflected XSS vulnerability in index.php in MyBB 1.8.x through 1.8.19 allows remote attackers to inject JavaScript via the 'upsetting[bburl]' parameter.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T11:30:04.217Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://blog.mybb.com/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mybb.com/versions/1.8.20/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2019-02-27T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "A reflected XSS vulnerability in index.php in MyBB 1.8.x through 1.8.19 allows remote attackers to inject JavaScript via the \u0027upsetting[bburl]\u0027 parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-04-11T20:00:10",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://blog.mybb.com/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mybb.com/versions/1.8.20/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-19202",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A reflected XSS vulnerability in index.php in MyBB 1.8.x through 1.8.19 allows remote attackers to inject JavaScript via the \u0027upsetting[bburl]\u0027 parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://blog.mybb.com/",
"refsource": "CONFIRM",
"url": "https://blog.mybb.com/"
},
{
"name": "https://mybb.com/versions/1.8.20/",
"refsource": "CONFIRM",
"url": "https://mybb.com/versions/1.8.20/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-19202",
"datePublished": "2019-04-11T20:00:10",
"dateReserved": "2018-11-12T00:00:00",
"dateUpdated": "2024-08-05T11:30:04.217Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-9411 (GCVE-0-2016-9411)
Vulnerability from cvelistv5
Published
2017-01-31 22:00
Modified
2024-08-06 02:50
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
The Admin control panel in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 allows remote attackers to obtain the installation path via vectors involving sending mails.
References
| ► | URL | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T02:50:37.816Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "94395",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/94395"
},
{
"name": "[oss-security] 20161117 Re: CVE request: MyBB multiple vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/18/1"
},
{
"name": "[oss-security] 20161110 CVE request: MyBB multiple vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/10/8"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://blog.mybb.com/2016/03/11/mybb-1-8-7-merge-system-1-8-7-release/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-03-11T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The Admin control panel in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 allows remote attackers to obtain the installation path via vectors involving sending mails."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-02-01T10:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "94395",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/94395"
},
{
"name": "[oss-security] 20161117 Re: CVE request: MyBB multiple vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/18/1"
},
{
"name": "[oss-security] 20161110 CVE request: MyBB multiple vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/10/8"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://blog.mybb.com/2016/03/11/mybb-1-8-7-merge-system-1-8-7-release/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-9411",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Admin control panel in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 allows remote attackers to obtain the installation path via vectors involving sending mails."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "94395",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/94395"
},
{
"name": "[oss-security] 20161117 Re: CVE request: MyBB multiple vulnerabilities",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2016/11/18/1"
},
{
"name": "[oss-security] 20161110 CVE request: MyBB multiple vulnerabilities",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2016/11/10/8"
},
{
"name": "https://blog.mybb.com/2016/03/11/mybb-1-8-7-merge-system-1-8-7-release/",
"refsource": "CONFIRM",
"url": "https://blog.mybb.com/2016/03/11/mybb-1-8-7-merge-system-1-8-7-release/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-9411",
"datePublished": "2017-01-31T22:00:00",
"dateReserved": "2016-11-17T00:00:00",
"dateUpdated": "2024-08-06T02:50:37.816Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2007-0689 (GCVE-0-2007-0689)
Vulnerability from cvelistv5
Published
2007-05-14 21:00
Modified
2024-08-07 12:26
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
MyBB 1.2.4 allows remote attackers to obtain sensitive information via the (1) action[] parameter to member.php, (2) imagehash[] parameter to captcha.php, and (3) a direct request to inc/datahandlers/event.php, which reveal the installation path in the resulting error message.
References
| ► | URL | Tags | |||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T12:26:54.361Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "34155",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://www.osvdb.org/34155"
},
{
"name": "20070513 MyBB version 1.2.4 Multiple Path Disclosure Vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/468549/100/0/threaded"
},
{
"name": "mybb-eventmembercaptcha-info-disclosure(34336)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/34336"
},
{
"name": "35549",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/35549"
},
{
"name": "35548",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/35548"
},
{
"name": "20070513 MyBB version 1.2.4 Multiple Path Disclosure Vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://marc.info/?l=full-disclosure\u0026m=117909973216181\u0026w=2"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.netvigilance.com/advisory0017"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2007-05-13T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "MyBB 1.2.4 allows remote attackers to obtain sensitive information via the (1) action[] parameter to member.php, (2) imagehash[] parameter to captcha.php, and (3) a direct request to inc/datahandlers/event.php, which reveal the installation path in the resulting error message."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-16T14:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "34155",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://www.osvdb.org/34155"
},
{
"name": "20070513 MyBB version 1.2.4 Multiple Path Disclosure Vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/468549/100/0/threaded"
},
{
"name": "mybb-eventmembercaptcha-info-disclosure(34336)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/34336"
},
{
"name": "35549",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/35549"
},
{
"name": "35548",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/35548"
},
{
"name": "20070513 MyBB version 1.2.4 Multiple Path Disclosure Vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://marc.info/?l=full-disclosure\u0026m=117909973216181\u0026w=2"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.netvigilance.com/advisory0017"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2007-0689",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "MyBB 1.2.4 allows remote attackers to obtain sensitive information via the (1) action[] parameter to member.php, (2) imagehash[] parameter to captcha.php, and (3) a direct request to inc/datahandlers/event.php, which reveal the installation path in the resulting error message."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "34155",
"refsource": "OSVDB",
"url": "http://www.osvdb.org/34155"
},
{
"name": "20070513 MyBB version 1.2.4 Multiple Path Disclosure Vulnerabilities",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/468549/100/0/threaded"
},
{
"name": "mybb-eventmembercaptcha-info-disclosure(34336)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/34336"
},
{
"name": "35549",
"refsource": "OSVDB",
"url": "http://osvdb.org/35549"
},
{
"name": "35548",
"refsource": "OSVDB",
"url": "http://osvdb.org/35548"
},
{
"name": "20070513 MyBB version 1.2.4 Multiple Path Disclosure Vulnerabilities",
"refsource": "FULLDISC",
"url": "http://marc.info/?l=full-disclosure\u0026m=117909973216181\u0026w=2"
},
{
"name": "http://www.netvigilance.com/advisory0017",
"refsource": "MISC",
"url": "http://www.netvigilance.com/advisory0017"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2007-0689",
"datePublished": "2007-05-14T21:00:00",
"dateReserved": "2007-02-03T00:00:00",
"dateUpdated": "2024-08-07T12:26:54.361Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-9409 (GCVE-0-2016-9409)
Vulnerability from cvelistv5
Published
2017-01-31 22:00
Modified
2024-08-06 02:50
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Cross-site scripting (XSS) vulnerability in the Admin control panel in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 might allow remote attackers to inject arbitrary web script or HTML via vectors involving pruning logs.
References
| ► | URL | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T02:50:37.974Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "94395",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/94395"
},
{
"name": "[oss-security] 20161117 Re: CVE request: MyBB multiple vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/18/1"
},
{
"name": "[oss-security] 20161110 CVE request: MyBB multiple vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/10/8"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://blog.mybb.com/2016/03/11/mybb-1-8-7-merge-system-1-8-7-release/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-03-11T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the Admin control panel in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 might allow remote attackers to inject arbitrary web script or HTML via vectors involving pruning logs."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-02-01T10:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "94395",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/94395"
},
{
"name": "[oss-security] 20161117 Re: CVE request: MyBB multiple vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/18/1"
},
{
"name": "[oss-security] 20161110 CVE request: MyBB multiple vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/10/8"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://blog.mybb.com/2016/03/11/mybb-1-8-7-merge-system-1-8-7-release/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-9409",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in the Admin control panel in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 might allow remote attackers to inject arbitrary web script or HTML via vectors involving pruning logs."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "94395",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/94395"
},
{
"name": "[oss-security] 20161117 Re: CVE request: MyBB multiple vulnerabilities",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2016/11/18/1"
},
{
"name": "[oss-security] 20161110 CVE request: MyBB multiple vulnerabilities",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2016/11/10/8"
},
{
"name": "https://blog.mybb.com/2016/03/11/mybb-1-8-7-merge-system-1-8-7-release/",
"refsource": "CONFIRM",
"url": "https://blog.mybb.com/2016/03/11/mybb-1-8-7-merge-system-1-8-7-release/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-9409",
"datePublished": "2017-01-31T22:00:00",
"dateReserved": "2016-11-17T00:00:00",
"dateUpdated": "2024-08-06T02:50:37.974Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2006-0218 (GCVE-0-2006-0218)
Vulnerability from cvelistv5
Published
2006-01-16 21:00
Modified
2024-09-17 02:37
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Multiple unspecified vulnerabilities in MyBulletinBoard (MyBB) before 1.0.2 have unspecified impact and attack vectors, related to (1) admin/moderate.php, (2) admin/themes.php, (3) inc/functions.php, (4) inc/functions_upload.php, (5) printthread.php, and (6) usercp.php, and probably related to SQL injection. NOTE: it is likely that this issue subsumes CVE-2005-4602 and CVE-2005-4603. However, since the vendor advisory is vague and additional files are mentioned, is is likely that this contains at least one distinct vulnerability from CVE-2005-4602 and CVE-2005-4603.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T16:25:34.062Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://community.mybboard.net/showthread.php?tid=5852"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Multiple unspecified vulnerabilities in MyBulletinBoard (MyBB) before 1.0.2 have unspecified impact and attack vectors, related to (1) admin/moderate.php, (2) admin/themes.php, (3) inc/functions.php, (4) inc/functions_upload.php, (5) printthread.php, and (6) usercp.php, and probably related to SQL injection. NOTE: it is likely that this issue subsumes CVE-2005-4602 and CVE-2005-4603. However, since the vendor advisory is vague and additional files are mentioned, is is likely that this contains at least one distinct vulnerability from CVE-2005-4602 and CVE-2005-4603."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2006-01-16T21:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://community.mybboard.net/showthread.php?tid=5852"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2006-0218",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple unspecified vulnerabilities in MyBulletinBoard (MyBB) before 1.0.2 have unspecified impact and attack vectors, related to (1) admin/moderate.php, (2) admin/themes.php, (3) inc/functions.php, (4) inc/functions_upload.php, (5) printthread.php, and (6) usercp.php, and probably related to SQL injection. NOTE: it is likely that this issue subsumes CVE-2005-4602 and CVE-2005-4603. However, since the vendor advisory is vague and additional files are mentioned, is is likely that this contains at least one distinct vulnerability from CVE-2005-4602 and CVE-2005-4603."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://community.mybboard.net/showthread.php?tid=5852",
"refsource": "CONFIRM",
"url": "http://community.mybboard.net/showthread.php?tid=5852"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2006-0218",
"datePublished": "2006-01-16T21:00:00Z",
"dateReserved": "2006-01-16T00:00:00Z",
"dateUpdated": "2024-09-17T02:37:44.003Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-2333 (GCVE-0-2015-2333)
Vulnerability from cvelistv5
Published
2015-03-18 14:00
Modified
2024-08-06 05:10
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Cross-site scripting (XSS) vulnerability in the MyCode editor in MyBB (aka MyBulletinBoard) before 1.8.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
References
| ► | URL | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T05:10:16.025Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://blog.mybb.com/2015/02/15/mybb-1-8-4-released-feature-update-security-maintenance-release/"
},
{
"name": "73213",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/73213"
},
{
"name": "1031953",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1031953"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-02-15T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the MyCode editor in MyBB (aka MyBulletinBoard) before 1.8.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2016-11-30T18:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://blog.mybb.com/2015/02/15/mybb-1-8-4-released-feature-update-security-maintenance-release/"
},
{
"name": "73213",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/73213"
},
{
"name": "1031953",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id/1031953"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-2333",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in the MyCode editor in MyBB (aka MyBulletinBoard) before 1.8.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://blog.mybb.com/2015/02/15/mybb-1-8-4-released-feature-update-security-maintenance-release/",
"refsource": "CONFIRM",
"url": "http://blog.mybb.com/2015/02/15/mybb-1-8-4-released-feature-update-security-maintenance-release/"
},
{
"name": "73213",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/73213"
},
{
"name": "1031953",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id/1031953"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-2333",
"datePublished": "2015-03-18T14:00:00",
"dateReserved": "2015-03-18T00:00:00",
"dateUpdated": "2024-08-06T05:10:16.025Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-8974 (GCVE-0-2015-8974)
Vulnerability from cvelistv5
Published
2017-01-31 22:00
Modified
2024-08-06 08:36
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
SQL injection vulnerability in the Group Promotions module in the admin control panel in MyBB (aka MyBulletinBoard) before 1.6.18 and 1.8.x before 1.8.6 and MyBB Merge System before 1.8.6 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
References
| ► | URL | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T08:36:30.884Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://blog.mybb.com/2015/09/07/mybb-1-8-6-1-6-18-merge-system-1-8-6-release/"
},
{
"name": "94397",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/94397"
},
{
"name": "[oss-security] 20161117 Re: CVE request: MyBB multiple vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/18/1"
},
{
"name": "[oss-security] 20161110 CVE request: MyBB multiple vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/10/8"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-09-07T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in the Group Promotions module in the admin control panel in MyBB (aka MyBulletinBoard) before 1.6.18 and 1.8.x before 1.8.6 and MyBB Merge System before 1.8.6 allows remote attackers to execute arbitrary SQL commands via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-02-01T10:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://blog.mybb.com/2015/09/07/mybb-1-8-6-1-6-18-merge-system-1-8-6-release/"
},
{
"name": "94397",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/94397"
},
{
"name": "[oss-security] 20161117 Re: CVE request: MyBB multiple vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/18/1"
},
{
"name": "[oss-security] 20161110 CVE request: MyBB multiple vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/10/8"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-8974",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SQL injection vulnerability in the Group Promotions module in the admin control panel in MyBB (aka MyBulletinBoard) before 1.6.18 and 1.8.x before 1.8.6 and MyBB Merge System before 1.8.6 allows remote attackers to execute arbitrary SQL commands via unspecified vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://blog.mybb.com/2015/09/07/mybb-1-8-6-1-6-18-merge-system-1-8-6-release/",
"refsource": "CONFIRM",
"url": "https://blog.mybb.com/2015/09/07/mybb-1-8-6-1-6-18-merge-system-1-8-6-release/"
},
{
"name": "94397",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/94397"
},
{
"name": "[oss-security] 20161117 Re: CVE request: MyBB multiple vulnerabilities",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2016/11/18/1"
},
{
"name": "[oss-security] 20161110 CVE request: MyBB multiple vulnerabilities",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2016/11/10/8"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-8974",
"datePublished": "2017-01-31T22:00:00",
"dateReserved": "2016-11-17T00:00:00",
"dateUpdated": "2024-08-06T08:36:30.884Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-9420 (GCVE-0-2016-9420)
Vulnerability from cvelistv5
Published
2017-01-31 22:00
Modified
2024-08-06 02:50
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
MyBB (aka MyBulletinBoard) before 1.8.8 and MyBB Merge System before 1.8.8 allow remote attackers to have unspecified impact via vectors related to "loose comparison false positives."
References
| ► | URL | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T02:50:38.327Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://blog.mybb.com/2016/10/17/mybb-1-8-8-merge-system-1-8-8-release/"
},
{
"name": "[oss-security] 20161117 Re: CVE request: MyBB multiple vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/18/1"
},
{
"name": "[oss-security] 20161110 CVE request: MyBB multiple vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/10/8"
},
{
"name": "94396",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/94396"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-10-17T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "MyBB (aka MyBulletinBoard) before 1.8.8 and MyBB Merge System before 1.8.8 allow remote attackers to have unspecified impact via vectors related to \"loose comparison false positives.\""
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-02-01T10:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://blog.mybb.com/2016/10/17/mybb-1-8-8-merge-system-1-8-8-release/"
},
{
"name": "[oss-security] 20161117 Re: CVE request: MyBB multiple vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/18/1"
},
{
"name": "[oss-security] 20161110 CVE request: MyBB multiple vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/10/8"
},
{
"name": "94396",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/94396"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-9420",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "MyBB (aka MyBulletinBoard) before 1.8.8 and MyBB Merge System before 1.8.8 allow remote attackers to have unspecified impact via vectors related to \"loose comparison false positives.\""
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://blog.mybb.com/2016/10/17/mybb-1-8-8-merge-system-1-8-8-release/",
"refsource": "CONFIRM",
"url": "https://blog.mybb.com/2016/10/17/mybb-1-8-8-merge-system-1-8-8-release/"
},
{
"name": "[oss-security] 20161117 Re: CVE request: MyBB multiple vulnerabilities",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2016/11/18/1"
},
{
"name": "[oss-security] 20161110 CVE request: MyBB multiple vulnerabilities",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2016/11/10/8"
},
{
"name": "94396",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/94396"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-9420",
"datePublished": "2017-01-31T22:00:00",
"dateReserved": "2016-11-17T00:00:00",
"dateUpdated": "2024-08-06T02:50:38.327Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2012-2327 (GCVE-0-2012-2327)
Vulnerability from cvelistv5
Published
2012-08-13 18:00
Modified
2024-09-17 02:58
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
MyBB (aka MyBulletinBoard) before 1.6.7 allows remote attackers to obtain sensitive information via a malformed forumread cookie, which reveals the installation path in an error message.
References
| ► | URL | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T19:34:25.645Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "53417",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/53417"
},
{
"name": "[oss-security] 20120507 CVE request: mybb before 1.6.7",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2012/05/07/13"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://blog.mybb.com/2012/04/01/mybb-1-6-7-update-1-8-development/"
},
{
"name": "[oss-security] 20120507 Re: CVE request: mybb before 1.6.7",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2012/05/07/14"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "MyBB (aka MyBulletinBoard) before 1.6.7 allows remote attackers to obtain sensitive information via a malformed forumread cookie, which reveals the installation path in an error message."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2012-08-13T18:00:00Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "53417",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/53417"
},
{
"name": "[oss-security] 20120507 CVE request: mybb before 1.6.7",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2012/05/07/13"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://blog.mybb.com/2012/04/01/mybb-1-6-7-update-1-8-development/"
},
{
"name": "[oss-security] 20120507 Re: CVE request: mybb before 1.6.7",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2012/05/07/14"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2012-2327",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "MyBB (aka MyBulletinBoard) before 1.6.7 allows remote attackers to obtain sensitive information via a malformed forumread cookie, which reveals the installation path in an error message."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "53417",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/53417"
},
{
"name": "[oss-security] 20120507 CVE request: mybb before 1.6.7",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2012/05/07/13"
},
{
"name": "http://blog.mybb.com/2012/04/01/mybb-1-6-7-update-1-8-development/",
"refsource": "CONFIRM",
"url": "http://blog.mybb.com/2012/04/01/mybb-1-6-7-update-1-8-development/"
},
{
"name": "[oss-security] 20120507 Re: CVE request: mybb before 1.6.7",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2012/05/07/14"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2012-2327",
"datePublished": "2012-08-13T18:00:00Z",
"dateReserved": "2012-04-19T00:00:00Z",
"dateUpdated": "2024-09-17T02:58:18.551Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2010-4626 (GCVE-0-2010-4626)
Vulnerability from cvelistv5
Published
2010-12-30 20:00
Modified
2024-08-07 03:51
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
The my_rand function in functions.php in MyBB (aka MyBulletinBoard) before 1.4.12 does not properly use the PHP mt_rand function, which makes it easier for remote attackers to obtain access to an arbitrary account by requesting a reset of the account's password, and then conducting a brute-force attack.
References
| ► | URL | Tags | |||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T03:51:17.916Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://dev.mybboard.net/issues/843"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://blog.mybb.com/2010/04/13/mybb-1-4-12-released-security-maintenance-update/"
},
{
"name": "[oss-security] 20101008 CVE request: mybb before 1.4.11 and before 1.4.12",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://openwall.com/lists/oss-security/2010/10/08/7"
},
{
"name": "mybb-myrand-unauth-access(64516)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/64516"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://dev.mybboard.net/projects/mybb/repository/revisions/4872"
},
{
"name": "[oss-security] 20101011 Re: CVE request: mybb before 1.4.11 and before 1.4.12",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://openwall.com/lists/oss-security/2010/10/11/8"
},
{
"name": "[oss-security] 20101206 Re: CVE request: mybb before 1.4.11 and before 1.4.12",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://openwall.com/lists/oss-security/2010/12/06/2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2010-04-13T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The my_rand function in functions.php in MyBB (aka MyBulletinBoard) before 1.4.12 does not properly use the PHP mt_rand function, which makes it easier for remote attackers to obtain access to an arbitrary account by requesting a reset of the account\u0027s password, and then conducting a brute-force attack."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-16T14:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://dev.mybboard.net/issues/843"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://blog.mybb.com/2010/04/13/mybb-1-4-12-released-security-maintenance-update/"
},
{
"name": "[oss-security] 20101008 CVE request: mybb before 1.4.11 and before 1.4.12",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://openwall.com/lists/oss-security/2010/10/08/7"
},
{
"name": "mybb-myrand-unauth-access(64516)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/64516"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://dev.mybboard.net/projects/mybb/repository/revisions/4872"
},
{
"name": "[oss-security] 20101011 Re: CVE request: mybb before 1.4.11 and before 1.4.12",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://openwall.com/lists/oss-security/2010/10/11/8"
},
{
"name": "[oss-security] 20101206 Re: CVE request: mybb before 1.4.11 and before 1.4.12",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://openwall.com/lists/oss-security/2010/12/06/2"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2010-4626",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The my_rand function in functions.php in MyBB (aka MyBulletinBoard) before 1.4.12 does not properly use the PHP mt_rand function, which makes it easier for remote attackers to obtain access to an arbitrary account by requesting a reset of the account\u0027s password, and then conducting a brute-force attack."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://dev.mybboard.net/issues/843",
"refsource": "CONFIRM",
"url": "http://dev.mybboard.net/issues/843"
},
{
"name": "http://blog.mybb.com/2010/04/13/mybb-1-4-12-released-security-maintenance-update/",
"refsource": "CONFIRM",
"url": "http://blog.mybb.com/2010/04/13/mybb-1-4-12-released-security-maintenance-update/"
},
{
"name": "[oss-security] 20101008 CVE request: mybb before 1.4.11 and before 1.4.12",
"refsource": "MLIST",
"url": "http://openwall.com/lists/oss-security/2010/10/08/7"
},
{
"name": "mybb-myrand-unauth-access(64516)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/64516"
},
{
"name": "http://dev.mybboard.net/projects/mybb/repository/revisions/4872",
"refsource": "CONFIRM",
"url": "http://dev.mybboard.net/projects/mybb/repository/revisions/4872"
},
{
"name": "[oss-security] 20101011 Re: CVE request: mybb before 1.4.11 and before 1.4.12",
"refsource": "MLIST",
"url": "http://openwall.com/lists/oss-security/2010/10/11/8"
},
{
"name": "[oss-security] 20101206 Re: CVE request: mybb before 1.4.11 and before 1.4.12",
"refsource": "MLIST",
"url": "http://openwall.com/lists/oss-security/2010/12/06/2"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2010-4626",
"datePublished": "2010-12-30T20:00:00",
"dateReserved": "2010-12-30T00:00:00",
"dateUpdated": "2024-08-07T03:51:17.916Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2008-3965 (GCVE-0-2008-3965)
Vulnerability from cvelistv5
Published
2008-09-10 15:00
Modified
2024-08-07 10:00
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
SQL injection vulnerability in misc.php in MyBB (aka MyBulletinBoard) before 1.4.1 allows remote attackers to execute arbitrary SQL commands via a certain editor field.
References
| ► | URL | Tags | ||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T10:00:42.125Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[oss-security] 20080909 CVE request: mybb \u003c 1.4.1",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2008/09/09/1"
},
{
"name": "31760",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/31760"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://community.mybboard.net/showthread.php?tid=36022"
},
{
"name": "31104",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/31104"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://community.mybboard.net/attachment.php?aid=10579"
},
{
"name": "[oss-security] 20080909 Re: CVE request: mybb \u003c 1.4.1",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2008/09/09/9"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2008-09-09T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in misc.php in MyBB (aka MyBulletinBoard) before 1.4.1 allows remote attackers to execute arbitrary SQL commands via a certain editor field."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2008-10-24T09:00:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "[oss-security] 20080909 CVE request: mybb \u003c 1.4.1",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2008/09/09/1"
},
{
"name": "31760",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/31760"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://community.mybboard.net/showthread.php?tid=36022"
},
{
"name": "31104",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/31104"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://community.mybboard.net/attachment.php?aid=10579"
},
{
"name": "[oss-security] 20080909 Re: CVE request: mybb \u003c 1.4.1",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2008/09/09/9"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2008-3965",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SQL injection vulnerability in misc.php in MyBB (aka MyBulletinBoard) before 1.4.1 allows remote attackers to execute arbitrary SQL commands via a certain editor field."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[oss-security] 20080909 CVE request: mybb \u003c 1.4.1",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2008/09/09/1"
},
{
"name": "31760",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/31760"
},
{
"name": "http://community.mybboard.net/showthread.php?tid=36022",
"refsource": "CONFIRM",
"url": "http://community.mybboard.net/showthread.php?tid=36022"
},
{
"name": "31104",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/31104"
},
{
"name": "http://community.mybboard.net/attachment.php?aid=10579",
"refsource": "CONFIRM",
"url": "http://community.mybboard.net/attachment.php?aid=10579"
},
{
"name": "[oss-security] 20080909 Re: CVE request: mybb \u003c 1.4.1",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2008/09/09/9"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2008-3965",
"datePublished": "2008-09-10T15:00:00",
"dateReserved": "2008-09-09T00:00:00",
"dateUpdated": "2024-08-07T10:00:42.125Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2007-0622 (GCVE-0-2007-0622)
Vulnerability from cvelistv5
Published
2007-01-31 18:00
Modified
2024-08-07 12:26
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Cross-site request forgery (CSRF) vulnerability in MyBB (aka MyBulletinBoard) 1.2.2 allows remote attackers to send messages to arbitrary users. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T12:26:54.431Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "23934",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/23934"
},
{
"name": "32968",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/32968"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2007-01-25T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site request forgery (CSRF) vulnerability in MyBB (aka MyBulletinBoard) 1.2.2 allows remote attackers to send messages to arbitrary users. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2008-11-15T10:00:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "23934",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/23934"
},
{
"name": "32968",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/32968"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2007-0622",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site request forgery (CSRF) vulnerability in MyBB (aka MyBulletinBoard) 1.2.2 allows remote attackers to send messages to arbitrary users. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "23934",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/23934"
},
{
"name": "32968",
"refsource": "OSVDB",
"url": "http://osvdb.org/32968"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2007-0622",
"datePublished": "2007-01-31T18:00:00",
"dateReserved": "2007-01-31T00:00:00",
"dateUpdated": "2024-08-07T12:26:54.431Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-1000503 (GCVE-0-2018-1000503)
Vulnerability from cvelistv5
Published
2018-06-26 16:00
Modified
2024-08-05 12:40
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
MyBB Group MyBB contains a Incorrect Access Control vulnerability in Private forums that can result in Users can view posts from private forums without having the password. This attack appear to be exploitable via Subscribe to a forum through IDOR. This vulnerability appears to have been fixed in 1.8.15.
References
| ► | URL | Tags |
|---|---|---|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T12:40:47.100Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.batterystapl.es/2018/03/local-file-inclusion-and-reading.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://blog.mybb.com/2018/03/15/mybb-1-8-15-released-security-maintenance-release/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"dateAssigned": "2018-06-23T00:00:00",
"datePublic": "2018-06-26T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "MyBB Group MyBB contains a Incorrect Access Control vulnerability in Private forums that can result in Users can view posts from private forums without having the password. This attack appear to be exploitable via Subscribe to a forum through IDOR. This vulnerability appears to have been fixed in 1.8.15."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-06-26T15:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.batterystapl.es/2018/03/local-file-inclusion-and-reading.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://blog.mybb.com/2018/03/15/mybb-1-8-15-released-security-maintenance-release/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"DATE_ASSIGNED": "2018-06-23T11:22:33.003968",
"DATE_REQUESTED": "2018-04-07T06:38:39",
"ID": "CVE-2018-1000503",
"REQUESTER": "riley@mailo.com",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "MyBB Group MyBB contains a Incorrect Access Control vulnerability in Private forums that can result in Users can view posts from private forums without having the password. This attack appear to be exploitable via Subscribe to a forum through IDOR. This vulnerability appears to have been fixed in 1.8.15."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://www.batterystapl.es/2018/03/local-file-inclusion-and-reading.html",
"refsource": "MISC",
"url": "http://www.batterystapl.es/2018/03/local-file-inclusion-and-reading.html"
},
{
"name": "https://blog.mybb.com/2018/03/15/mybb-1-8-15-released-security-maintenance-release/",
"refsource": "MISC",
"url": "https://blog.mybb.com/2018/03/15/mybb-1-8-15-released-security-maintenance-release/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-1000503",
"datePublished": "2018-06-26T16:00:00",
"dateReserved": "2018-04-07T00:00:00",
"dateUpdated": "2024-08-05T12:40:47.100Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-41866 (GCVE-0-2021-41866)
Vulnerability from cvelistv5
Published
2021-10-26 21:25
Modified
2024-08-04 03:22
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
MyBB before 1.8.28 allows stored XSS because the displayed Template Name value in the Admin CP's theme management is not escaped properly.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T03:22:25.530Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/mybb/mybb/security/advisories/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/mybb/mybb/security/advisories/GHSA-gxhv-r3m5-6qv7"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "MyBB before 1.8.28 allows stored XSS because the displayed Template Name value in the Admin CP\u0027s theme management is not escaped properly."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-10-26T21:25:47",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mybb/mybb/security/advisories/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mybb/mybb/security/advisories/GHSA-gxhv-r3m5-6qv7"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-41866",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "MyBB before 1.8.28 allows stored XSS because the displayed Template Name value in the Admin CP\u0027s theme management is not escaped properly."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/mybb/mybb/security/advisories/",
"refsource": "MISC",
"url": "https://github.com/mybb/mybb/security/advisories/"
},
{
"name": "https://github.com/mybb/mybb/security/advisories/GHSA-gxhv-r3m5-6qv7",
"refsource": "CONFIRM",
"url": "https://github.com/mybb/mybb/security/advisories/GHSA-gxhv-r3m5-6qv7"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-41866",
"datePublished": "2021-10-26T21:25:47",
"dateReserved": "2021-10-04T00:00:00",
"dateUpdated": "2024-08-04T03:22:25.530Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-3579 (GCVE-0-2019-3579)
Vulnerability from cvelistv5
Published
2019-06-06 18:11
Modified
2024-08-04 19:12
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
MyBB 1.8.19 allows remote attackers to obtain sensitive information because it discloses the username upon receiving a password-reset request that lacks the code parameter.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T19:12:09.648Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://blog.mybb.com/2019/02/27/mybb-1-8-20-released-security-maintenance-release/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://blog.mybb.com/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "MyBB 1.8.19 allows remote attackers to obtain sensitive information because it discloses the username upon receiving a password-reset request that lacks the code parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-06-06T18:11:32",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://blog.mybb.com/2019/02/27/mybb-1-8-20-released-security-maintenance-release/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://blog.mybb.com/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-3579",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "MyBB 1.8.19 allows remote attackers to obtain sensitive information because it discloses the username upon receiving a password-reset request that lacks the code parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://blog.mybb.com/2019/02/27/mybb-1-8-20-released-security-maintenance-release/",
"refsource": "CONFIRM",
"url": "https://blog.mybb.com/2019/02/27/mybb-1-8-20-released-security-maintenance-release/"
},
{
"name": "https://blog.mybb.com/",
"refsource": "MISC",
"url": "https://blog.mybb.com/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-3579",
"datePublished": "2019-06-06T18:11:32",
"dateReserved": "2019-01-02T00:00:00",
"dateUpdated": "2024-08-04T19:12:09.648Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-48940 (GCVE-0-2025-48940)
Vulnerability from cvelistv5
Published
2025-06-02 15:52
Modified
2025-06-02 16:06
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Summary
MyBB is free and open source forum software. Prior to version 1.8.39, the upgrade component does not validate user input properly, which allows attackers to perform local file inclusion (LFI) via a specially crafted parameter value. In order to exploit the vulnerability, the installer must be unlocked (no `install/lock` file present) and the upgrade script must be accessible (by re-installing the forum via access to `install/index.php`; when the forum has not yet been installed; or the attacker is authenticated as a forum administrator). MyBB 1.8.39 resolves this issue.
References
| ► | URL | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-48940",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-02T16:05:49.846057Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-02T16:06:00.967Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mybb",
"vendor": "mybb",
"versions": [
{
"status": "affected",
"version": "\u003c 1.8.39"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "MyBB is free and open source forum software. Prior to version 1.8.39, the upgrade component does not validate user input properly, which allows attackers to perform local file inclusion (LFI) via a specially crafted parameter value. In order to exploit the vulnerability, the installer must be unlocked (no `install/lock` file present) and the upgrade script must be accessible (by re-installing the forum via access to `install/index.php`; when the forum has not yet been installed; or the attacker is authenticated as a forum administrator). MyBB 1.8.39 resolves this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-02T15:52:36.740Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mybb/mybb/security/advisories/GHSA-q4jv-xwjx-37cp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mybb/mybb/security/advisories/GHSA-q4jv-xwjx-37cp"
},
{
"name": "https://github.com/mybb/mybb/commit/6e6cfbd524d9101b51e1278ecf520479b64b0f00",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mybb/mybb/commit/6e6cfbd524d9101b51e1278ecf520479b64b0f00"
},
{
"name": "https://mybb.com/versions/1.8.39",
"tags": [
"x_refsource_MISC"
],
"url": "https://mybb.com/versions/1.8.39"
}
],
"source": {
"advisory": "GHSA-q4jv-xwjx-37cp",
"discovery": "UNKNOWN"
},
"title": "MyBB\u0027s upgrade component vulnerable to local file inclusion"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-48940",
"datePublished": "2025-06-02T15:52:36.740Z",
"dateReserved": "2025-05-28T18:49:07.580Z",
"dateUpdated": "2025-06-02T16:06:00.967Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2007-1964 (GCVE-0-2007-1964)
Vulnerability from cvelistv5
Published
2007-04-11 10:00
Modified
2024-08-07 13:13
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
member.php in MyBB (aka MyBulletinBoard), when debug mode is available, allows remote authenticated users to change the password of any account by providing the account's registered e-mail address in a debug request for a do_lostpw action, which prints the change password verification code in the debug output.
References
| ► | URL | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T13:13:42.011Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "20070330 Mybb Change Password Vulnerability",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/464267/100/100/threaded"
},
{
"name": "mybb-debugmode-information-disclosure(33345)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/33345"
},
{
"name": "2544",
"tags": [
"third-party-advisory",
"x_refsource_SREASON",
"x_transferred"
],
"url": "http://securityreason.com/securityalert/2544"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2007-03-30T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "member.php in MyBB (aka MyBulletinBoard), when debug mode is available, allows remote authenticated users to change the password of any account by providing the account\u0027s registered e-mail address in a debug request for a do_lostpw action, which prints the change password verification code in the debug output."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-16T14:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "20070330 Mybb Change Password Vulnerability",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/464267/100/100/threaded"
},
{
"name": "mybb-debugmode-information-disclosure(33345)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/33345"
},
{
"name": "2544",
"tags": [
"third-party-advisory",
"x_refsource_SREASON"
],
"url": "http://securityreason.com/securityalert/2544"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2007-1964",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "member.php in MyBB (aka MyBulletinBoard), when debug mode is available, allows remote authenticated users to change the password of any account by providing the account\u0027s registered e-mail address in a debug request for a do_lostpw action, which prints the change password verification code in the debug output."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "20070330 Mybb Change Password Vulnerability",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/464267/100/100/threaded"
},
{
"name": "mybb-debugmode-information-disclosure(33345)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/33345"
},
{
"name": "2544",
"refsource": "SREASON",
"url": "http://securityreason.com/securityalert/2544"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2007-1964",
"datePublished": "2007-04-11T10:00:00",
"dateReserved": "2007-04-10T00:00:00",
"dateUpdated": "2024-08-07T13:13:42.011Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-8976 (GCVE-0-2015-8976)
Vulnerability from cvelistv5
Published
2017-01-31 22:00
Modified
2024-08-06 08:36
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Cross-site scripting (XSS) vulnerability in MyBB (aka MyBulletinBoard) before 1.6.18 and 1.8.x before 1.8.6 and MyBB Merge System before 1.8.6 might allow remote attackers to inject arbitrary web script or HTML via vectors related to "old upgrade files."
References
| ► | URL | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T08:36:31.035Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://blog.mybb.com/2015/09/07/mybb-1-8-6-1-6-18-merge-system-1-8-6-release/"
},
{
"name": "94397",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/94397"
},
{
"name": "[oss-security] 20161117 Re: CVE request: MyBB multiple vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/18/1"
},
{
"name": "[oss-security] 20161110 CVE request: MyBB multiple vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/10/8"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-09-07T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in MyBB (aka MyBulletinBoard) before 1.6.18 and 1.8.x before 1.8.6 and MyBB Merge System before 1.8.6 might allow remote attackers to inject arbitrary web script or HTML via vectors related to \"old upgrade files.\""
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-02-01T10:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://blog.mybb.com/2015/09/07/mybb-1-8-6-1-6-18-merge-system-1-8-6-release/"
},
{
"name": "94397",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/94397"
},
{
"name": "[oss-security] 20161117 Re: CVE request: MyBB multiple vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/18/1"
},
{
"name": "[oss-security] 20161110 CVE request: MyBB multiple vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/10/8"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-8976",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in MyBB (aka MyBulletinBoard) before 1.6.18 and 1.8.x before 1.8.6 and MyBB Merge System before 1.8.6 might allow remote attackers to inject arbitrary web script or HTML via vectors related to \"old upgrade files.\""
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://blog.mybb.com/2015/09/07/mybb-1-8-6-1-6-18-merge-system-1-8-6-release/",
"refsource": "CONFIRM",
"url": "https://blog.mybb.com/2015/09/07/mybb-1-8-6-1-6-18-merge-system-1-8-6-release/"
},
{
"name": "94397",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/94397"
},
{
"name": "[oss-security] 20161117 Re: CVE request: MyBB multiple vulnerabilities",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2016/11/18/1"
},
{
"name": "[oss-security] 20161110 CVE request: MyBB multiple vulnerabilities",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2016/11/10/8"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-8976",
"datePublished": "2017-01-31T22:00:00",
"dateReserved": "2016-11-17T00:00:00",
"dateUpdated": "2024-08-06T08:36:31.035Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-17128 (GCVE-0-2018-17128)
Vulnerability from cvelistv5
Published
2018-09-17 04:00
Modified
2024-08-05 10:39
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
A Persistent XSS issue was discovered in the Visual Editor in MyBB before 1.8.19 via a Video MyCode.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T10:39:59.703Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://blog.mybb.com/2018/09/11/mybb-1-8-19-released-security-maintenance-release/"
},
{
"name": "45449",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/45449/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2018-09-16T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "A Persistent XSS issue was discovered in the Visual Editor in MyBB before 1.8.19 via a Video MyCode."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-09-26T09:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://blog.mybb.com/2018/09/11/mybb-1-8-19-released-security-maintenance-release/"
},
{
"name": "45449",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "https://www.exploit-db.com/exploits/45449/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-17128",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A Persistent XSS issue was discovered in the Visual Editor in MyBB before 1.8.19 via a Video MyCode."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://blog.mybb.com/2018/09/11/mybb-1-8-19-released-security-maintenance-release/",
"refsource": "MISC",
"url": "https://blog.mybb.com/2018/09/11/mybb-1-8-19-released-security-maintenance-release/"
},
{
"name": "45449",
"refsource": "EXPLOIT-DB",
"url": "https://www.exploit-db.com/exploits/45449/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-17128",
"datePublished": "2018-09-17T04:00:00",
"dateReserved": "2018-09-16T00:00:00",
"dateUpdated": "2024-08-05T10:39:59.703Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2008-4928 (GCVE-0-2008-4928)
Vulnerability from cvelistv5
Published
2008-11-04 20:00
Modified
2024-08-07 10:31
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Cross-site scripting (XSS) vulnerability in the redirect function in functions.php in MyBB (aka MyBulletinBoard) 1.4.2 allows remote attackers to inject arbitrary web script or HTML via the url parameter in a removesubscriptions action to moderation.php, related to use of the ajax option to request a JavaScript redirect. NOTE: this can be leveraged to execute PHP code and bypass cross-site request forgery (CSRF) protection.
References
| ► | URL | Tags | ||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T10:31:28.188Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "31935",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/31935"
},
{
"name": "20081027 Re: MyBB 1.4.2: Multiple Vulnerabilties",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://archives.neohapsis.com/archives/bugtraq/2008-10/0212.html"
},
{
"name": "20081027 MyBB 1.4.2: Multiple Vulnerabilties",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://archives.neohapsis.com/archives/bugtraq/2008-10/0203.html"
},
{
"name": "ADV-2008-2967",
"tags": [
"vdb-entry",
"x_refsource_VUPEN",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2008/2967"
},
{
"name": "20081027 MyBB 1.4.2: Multiple Vulnerabilties",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://archives.neohapsis.com/archives/fulldisclosure/2008-10/0472.html"
},
{
"name": "[oss-security] 20081101 CVE request (Fwd: MyBB 1.4.2: Multiple Vulnerabilties)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2008/11/01/2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2008-10-27T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the redirect function in functions.php in MyBB (aka MyBulletinBoard) 1.4.2 allows remote attackers to inject arbitrary web script or HTML via the url parameter in a removesubscriptions action to moderation.php, related to use of the ajax option to request a JavaScript redirect. NOTE: this can be leveraged to execute PHP code and bypass cross-site request forgery (CSRF) protection."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2008-11-15T10:00:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "31935",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/31935"
},
{
"name": "20081027 Re: MyBB 1.4.2: Multiple Vulnerabilties",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://archives.neohapsis.com/archives/bugtraq/2008-10/0212.html"
},
{
"name": "20081027 MyBB 1.4.2: Multiple Vulnerabilties",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://archives.neohapsis.com/archives/bugtraq/2008-10/0203.html"
},
{
"name": "ADV-2008-2967",
"tags": [
"vdb-entry",
"x_refsource_VUPEN"
],
"url": "http://www.vupen.com/english/advisories/2008/2967"
},
{
"name": "20081027 MyBB 1.4.2: Multiple Vulnerabilties",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://archives.neohapsis.com/archives/fulldisclosure/2008-10/0472.html"
},
{
"name": "[oss-security] 20081101 CVE request (Fwd: MyBB 1.4.2: Multiple Vulnerabilties)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2008/11/01/2"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2008-4928",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in the redirect function in functions.php in MyBB (aka MyBulletinBoard) 1.4.2 allows remote attackers to inject arbitrary web script or HTML via the url parameter in a removesubscriptions action to moderation.php, related to use of the ajax option to request a JavaScript redirect. NOTE: this can be leveraged to execute PHP code and bypass cross-site request forgery (CSRF) protection."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "31935",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/31935"
},
{
"name": "20081027 Re: MyBB 1.4.2: Multiple Vulnerabilties",
"refsource": "BUGTRAQ",
"url": "http://archives.neohapsis.com/archives/bugtraq/2008-10/0212.html"
},
{
"name": "20081027 MyBB 1.4.2: Multiple Vulnerabilties",
"refsource": "BUGTRAQ",
"url": "http://archives.neohapsis.com/archives/bugtraq/2008-10/0203.html"
},
{
"name": "ADV-2008-2967",
"refsource": "VUPEN",
"url": "http://www.vupen.com/english/advisories/2008/2967"
},
{
"name": "20081027 MyBB 1.4.2: Multiple Vulnerabilties",
"refsource": "FULLDISC",
"url": "http://archives.neohapsis.com/archives/fulldisclosure/2008-10/0472.html"
},
{
"name": "[oss-security] 20081101 CVE request (Fwd: MyBB 1.4.2: Multiple Vulnerabilties)",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2008/11/01/2"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2008-4928",
"datePublished": "2008-11-04T20:00:00",
"dateReserved": "2008-11-04T00:00:00",
"dateUpdated": "2024-08-07T10:31:28.188Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-23336 (GCVE-0-2024-23336)
Vulnerability from cvelistv5
Published
2024-05-01 06:27
Modified
2024-08-01 22:59
Severity ?
VLAI Severity ?
EPSS score ?
Summary
MyBB is a free and open source forum software. The default list of disallowed remote hosts does not contain the `127.0.0.0/8` block, which may result in a Server-Side Request Forgery (SSRF) vulnerability. The Configuration File's _Disallowed Remote Addresses_ list (`$config['disallowed_remote_addresses']`) contains the address `127.0.0.1`, but does not include the complete block `127.0.0.0/8`. MyBB 1.8.38 resolves this issue in default installations. Administrators of installed boards should update the existing configuration (`inc/config.php`) to include all addresses blocked by default. Additionally, users are advised to verify that it includes any other IPv4 addresses resolving to the server and other internal resources. Users unable to upgrade may manually add 127.0.0.0/8' to their disallowed address list.
References
| ► | URL | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:mybb:mybb:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "mybb",
"vendor": "mybb",
"versions": [
{
"lessThan": "1.8.38",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-23336",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-01T13:48:54.371730Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-06T14:06:34.074Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T22:59:32.176Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/mybb/mybb/security/advisories/GHSA-qfrj-65mv-h75h",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/mybb/mybb/security/advisories/GHSA-qfrj-65mv-h75h"
},
{
"name": "https://github.com/mybb/mybb/commit/d6a96019025de9149014e06b1df252e6122e5630",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/mybb/mybb/commit/d6a96019025de9149014e06b1df252e6122e5630"
},
{
"name": "https://docs.mybb.com/1.8/administration/configuration-file",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.mybb.com/1.8/administration/configuration-file"
},
{
"name": "https://mybb.com/versions/1.8.38",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://mybb.com/versions/1.8.38"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "mybb",
"vendor": "mybb",
"versions": [
{
"status": "affected",
"version": "\u003c 1.8.38"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "MyBB is a free and open source forum software. The default list of disallowed remote hosts does not contain the `127.0.0.0/8` block, which may result in a Server-Side Request Forgery (SSRF) vulnerability. The Configuration File\u0027s _Disallowed Remote Addresses_ list (`$config[\u0027disallowed_remote_addresses\u0027]`) contains the address `127.0.0.1`, but does not include the complete block `127.0.0.0/8`. MyBB 1.8.38 resolves this issue in default installations. Administrators of installed boards should update the existing configuration (`inc/config.php`) to include all addresses blocked by default. Additionally, users are advised to verify that it includes any other IPv4 addresses resolving to the server and other internal resources. Users unable to upgrade may manually add 127.0.0.0/8\u0027 to their disallowed address list."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-184",
"description": "CWE-184: Incomplete List of Disallowed Inputs",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-01T06:27:37.987Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mybb/mybb/security/advisories/GHSA-qfrj-65mv-h75h",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mybb/mybb/security/advisories/GHSA-qfrj-65mv-h75h"
},
{
"name": "https://github.com/mybb/mybb/commit/d6a96019025de9149014e06b1df252e6122e5630",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mybb/mybb/commit/d6a96019025de9149014e06b1df252e6122e5630"
},
{
"name": "https://docs.mybb.com/1.8/administration/configuration-file",
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.mybb.com/1.8/administration/configuration-file"
},
{
"name": "https://mybb.com/versions/1.8.38",
"tags": [
"x_refsource_MISC"
],
"url": "https://mybb.com/versions/1.8.38"
}
],
"source": {
"advisory": "GHSA-qfrj-65mv-h75h",
"discovery": "UNKNOWN"
},
"title": "Incomplete disallowed remote addresses list in MyBB"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-23336",
"datePublished": "2024-05-01T06:27:37.987Z",
"dateReserved": "2024-01-15T15:19:19.443Z",
"dateUpdated": "2024-08-01T22:59:32.176Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-29459 (GCVE-0-2025-29459)
Vulnerability from cvelistv5
Published
2025-04-17 00:00
Modified
2025-04-23 13:02
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
An issue in MyBB 1.8.38 allows a remote attacker to obtain sensitive information via the Mail function. NOTE: the Supplier disputes this because of the allowed actions of Board administrators and because of SSRF mitigation.
References
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-29459",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-18T14:03:40.575875Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-18T14:04:17.364Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue in MyBB 1.8.38 allows a remote attacker to obtain sensitive information via the Mail function. NOTE: the Supplier disputes this because of the allowed actions of Board administrators and because of SSRF mitigation."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T13:02:24.406Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.yuque.com/morysummer/vx41bz/ggnmg5nnu635kvrc"
},
{
"url": "https://docs.mybb.com/1.8/administration/security/protection/#limit-access-to-private-hosts-and-ip-addresses"
}
],
"tags": [
"disputed"
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-29459",
"datePublished": "2025-04-17T00:00:00.000Z",
"dateReserved": "2025-03-11T00:00:00.000Z",
"dateUpdated": "2025-04-23T13:02:24.406Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2012-2324 (GCVE-0-2012-2324)
Vulnerability from cvelistv5
Published
2012-08-13 18:00
Modified
2024-09-16 18:18
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Multiple SQL injection vulnerabilities in MyBB (aka MyBulletinBoard) before 1.6.7 allow remote administrators to execute arbitrary SQL commands via unspecified vectors in the (1) user search or (2) Mail Log in the Admin Control Panel (ACP).
References
| ► | URL | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T19:34:23.575Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "53417",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/53417"
},
{
"name": "[oss-security] 20120507 CVE request: mybb before 1.6.7",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2012/05/07/13"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://blog.mybb.com/2012/04/01/mybb-1-6-7-update-1-8-development/"
},
{
"name": "[oss-security] 20120507 Re: CVE request: mybb before 1.6.7",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2012/05/07/14"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Multiple SQL injection vulnerabilities in MyBB (aka MyBulletinBoard) before 1.6.7 allow remote administrators to execute arbitrary SQL commands via unspecified vectors in the (1) user search or (2) Mail Log in the Admin Control Panel (ACP)."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2012-08-13T18:00:00Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "53417",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/53417"
},
{
"name": "[oss-security] 20120507 CVE request: mybb before 1.6.7",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2012/05/07/13"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://blog.mybb.com/2012/04/01/mybb-1-6-7-update-1-8-development/"
},
{
"name": "[oss-security] 20120507 Re: CVE request: mybb before 1.6.7",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2012/05/07/14"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2012-2324",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple SQL injection vulnerabilities in MyBB (aka MyBulletinBoard) before 1.6.7 allow remote administrators to execute arbitrary SQL commands via unspecified vectors in the (1) user search or (2) Mail Log in the Admin Control Panel (ACP)."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "53417",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/53417"
},
{
"name": "[oss-security] 20120507 CVE request: mybb before 1.6.7",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2012/05/07/13"
},
{
"name": "http://blog.mybb.com/2012/04/01/mybb-1-6-7-update-1-8-development/",
"refsource": "CONFIRM",
"url": "http://blog.mybb.com/2012/04/01/mybb-1-6-7-update-1-8-development/"
},
{
"name": "[oss-security] 20120507 Re: CVE request: mybb before 1.6.7",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2012/05/07/14"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2012-2324",
"datePublished": "2012-08-13T18:00:00Z",
"dateReserved": "2012-04-19T00:00:00Z",
"dateUpdated": "2024-09-16T18:18:14.658Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-10678 (GCVE-0-2018-10678)
Vulnerability from cvelistv5
Published
2018-05-13 20:00
Modified
2024-08-05 07:46
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
MyBB 1.8.15, when accessed with Microsoft Edge, mishandles 'target="_blank" rel="noopener"' in A elements, which makes it easier for remote attackers to conduct redirection attacks.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T07:46:46.382Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "104187",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/104187"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://gist.github.com/MayurUdiniya/7aaa50b878d82b6aab6ed0b3e2b080bc"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2018-05-13T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "MyBB 1.8.15, when accessed with Microsoft Edge, mishandles \u0027target=\"_blank\" rel=\"noopener\"\u0027 in A elements, which makes it easier for remote attackers to conduct redirection attacks."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-05-17T09:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "104187",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/104187"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://gist.github.com/MayurUdiniya/7aaa50b878d82b6aab6ed0b3e2b080bc"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-10678",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "MyBB 1.8.15, when accessed with Microsoft Edge, mishandles \u0027target=\"_blank\" rel=\"noopener\"\u0027 in A elements, which makes it easier for remote attackers to conduct redirection attacks."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "104187",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/104187"
},
{
"name": "https://gist.github.com/MayurUdiniya/7aaa50b878d82b6aab6ed0b3e2b080bc",
"refsource": "MISC",
"url": "https://gist.github.com/MayurUdiniya/7aaa50b878d82b6aab6ed0b3e2b080bc"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-10678",
"datePublished": "2018-05-13T20:00:00",
"dateReserved": "2018-05-02T00:00:00",
"dateUpdated": "2024-08-05T07:46:46.382Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-9415 (GCVE-0-2016-9415)
Vulnerability from cvelistv5
Published
2017-01-31 22:00
Modified
2024-08-06 02:50
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
MyBB (aka MyBulletinBoard) before 1.8.8 on Windows and MyBB Merge System before 1.8.8 on Windows allow remote attackers to overwrite arbitrary CSS files via vectors related to "style import."
References
| ► | URL | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T02:50:38.036Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://blog.mybb.com/2016/10/17/mybb-1-8-8-merge-system-1-8-8-release/"
},
{
"name": "[oss-security] 20161117 Re: CVE request: MyBB multiple vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/18/1"
},
{
"name": "[oss-security] 20161110 CVE request: MyBB multiple vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/10/8"
},
{
"name": "94396",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/94396"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-10-17T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "MyBB (aka MyBulletinBoard) before 1.8.8 on Windows and MyBB Merge System before 1.8.8 on Windows allow remote attackers to overwrite arbitrary CSS files via vectors related to \"style import.\""
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-02-01T10:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://blog.mybb.com/2016/10/17/mybb-1-8-8-merge-system-1-8-8-release/"
},
{
"name": "[oss-security] 20161117 Re: CVE request: MyBB multiple vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/18/1"
},
{
"name": "[oss-security] 20161110 CVE request: MyBB multiple vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/10/8"
},
{
"name": "94396",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/94396"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-9415",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "MyBB (aka MyBulletinBoard) before 1.8.8 on Windows and MyBB Merge System before 1.8.8 on Windows allow remote attackers to overwrite arbitrary CSS files via vectors related to \"style import.\""
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://blog.mybb.com/2016/10/17/mybb-1-8-8-merge-system-1-8-8-release/",
"refsource": "CONFIRM",
"url": "https://blog.mybb.com/2016/10/17/mybb-1-8-8-merge-system-1-8-8-release/"
},
{
"name": "[oss-security] 20161117 Re: CVE request: MyBB multiple vulnerabilities",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2016/11/18/1"
},
{
"name": "[oss-security] 20161110 CVE request: MyBB multiple vulnerabilities",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2016/11/10/8"
},
{
"name": "94396",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/94396"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-9415",
"datePublished": "2017-01-31T22:00:00",
"dateReserved": "2016-11-17T00:00:00",
"dateUpdated": "2024-08-06T02:50:38.036Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2008-3334 (GCVE-0-2008-3334)
Vulnerability from cvelistv5
Published
2008-07-27 23:00
Modified
2024-08-07 09:37
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Cross-site scripting (XSS) vulnerability in MyBB 1.2.x before 1.2.14 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, possibly involving search.php.
References
| ► | URL | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T09:37:27.076Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "31216",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/31216"
},
{
"name": "30401",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/30401"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://community.mybboard.net/thread-33865.html"
},
{
"name": "mybb-unspecified-xss(44034)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/44034"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2008-07-21T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in MyBB 1.2.x before 1.2.14 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, possibly involving search.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-07T12:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "31216",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/31216"
},
{
"name": "30401",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/30401"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://community.mybboard.net/thread-33865.html"
},
{
"name": "mybb-unspecified-xss(44034)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/44034"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2008-3334",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in MyBB 1.2.x before 1.2.14 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, possibly involving search.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "31216",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/31216"
},
{
"name": "30401",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/30401"
},
{
"name": "http://community.mybboard.net/thread-33865.html",
"refsource": "CONFIRM",
"url": "http://community.mybboard.net/thread-33865.html"
},
{
"name": "mybb-unspecified-xss(44034)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/44034"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2008-3334",
"datePublished": "2008-07-27T23:00:00",
"dateReserved": "2008-07-27T00:00:00",
"dateUpdated": "2024-08-07T09:37:27.076Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-9419 (GCVE-0-2016-9419)
Vulnerability from cvelistv5
Published
2017-01-31 22:00
Modified
2024-08-06 02:50
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Cross-site scripting (XSS) vulnerability in the Admin control panel in MyBB (aka MyBulletinBoard) before 1.8.8 and MyBB Merge System before 1.8.8 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
References
| ► | URL | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T02:50:38.340Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://blog.mybb.com/2016/10/17/mybb-1-8-8-merge-system-1-8-8-release/"
},
{
"name": "[oss-security] 20161117 Re: CVE request: MyBB multiple vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/18/1"
},
{
"name": "[oss-security] 20161110 CVE request: MyBB multiple vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/10/8"
},
{
"name": "94396",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/94396"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-10-17T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the Admin control panel in MyBB (aka MyBulletinBoard) before 1.8.8 and MyBB Merge System before 1.8.8 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-02-01T10:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://blog.mybb.com/2016/10/17/mybb-1-8-8-merge-system-1-8-8-release/"
},
{
"name": "[oss-security] 20161117 Re: CVE request: MyBB multiple vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/18/1"
},
{
"name": "[oss-security] 20161110 CVE request: MyBB multiple vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/10/8"
},
{
"name": "94396",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/94396"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-9419",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in the Admin control panel in MyBB (aka MyBulletinBoard) before 1.8.8 and MyBB Merge System before 1.8.8 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://blog.mybb.com/2016/10/17/mybb-1-8-8-merge-system-1-8-8-release/",
"refsource": "CONFIRM",
"url": "https://blog.mybb.com/2016/10/17/mybb-1-8-8-merge-system-1-8-8-release/"
},
{
"name": "[oss-security] 20161117 Re: CVE request: MyBB multiple vulnerabilities",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2016/11/18/1"
},
{
"name": "[oss-security] 20161110 CVE request: MyBB multiple vulnerabilities",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2016/11/10/8"
},
{
"name": "94396",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/94396"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-9419",
"datePublished": "2017-01-31T22:00:00",
"dateReserved": "2016-11-17T00:00:00",
"dateUpdated": "2024-08-06T02:50:38.340Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-9421 (GCVE-0-2016-9421)
Vulnerability from cvelistv5
Published
2017-01-31 22:00
Modified
2024-08-06 02:50
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Cross-site scripting (XSS) vulnerability in the Users module in the Admin control panel in MyBB (aka MyBulletinBoard) before 1.8.8 and MyBB Merge System before 1.8.8 might allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
References
| ► | URL | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T02:50:38.427Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://blog.mybb.com/2016/10/17/mybb-1-8-8-merge-system-1-8-8-release/"
},
{
"name": "[oss-security] 20161117 Re: CVE request: MyBB multiple vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/18/1"
},
{
"name": "[oss-security] 20161110 CVE request: MyBB multiple vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/10/8"
},
{
"name": "94396",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/94396"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-10-17T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the Users module in the Admin control panel in MyBB (aka MyBulletinBoard) before 1.8.8 and MyBB Merge System before 1.8.8 might allow remote attackers to inject arbitrary web script or HTML via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-02-01T10:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://blog.mybb.com/2016/10/17/mybb-1-8-8-merge-system-1-8-8-release/"
},
{
"name": "[oss-security] 20161117 Re: CVE request: MyBB multiple vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/18/1"
},
{
"name": "[oss-security] 20161110 CVE request: MyBB multiple vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/10/8"
},
{
"name": "94396",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/94396"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-9421",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in the Users module in the Admin control panel in MyBB (aka MyBulletinBoard) before 1.8.8 and MyBB Merge System before 1.8.8 might allow remote attackers to inject arbitrary web script or HTML via unspecified vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://blog.mybb.com/2016/10/17/mybb-1-8-8-merge-system-1-8-8-release/",
"refsource": "CONFIRM",
"url": "https://blog.mybb.com/2016/10/17/mybb-1-8-8-merge-system-1-8-8-release/"
},
{
"name": "[oss-security] 20161117 Re: CVE request: MyBB multiple vulnerabilities",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2016/11/18/1"
},
{
"name": "[oss-security] 20161110 CVE request: MyBB multiple vulnerabilities",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2016/11/10/8"
},
{
"name": "94396",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/94396"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-9421",
"datePublished": "2017-01-31T22:00:00",
"dateReserved": "2016-11-17T00:00:00",
"dateUpdated": "2024-08-06T02:50:38.427Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-7305 (GCVE-0-2018-7305)
Vulnerability from cvelistv5
Published
2018-02-21 20:00
Modified
2024-09-16 22:36
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
MyBB 1.8.14 is not checking for a valid CSRF token, leading to arbitrary deletion of user accounts.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T06:24:11.858Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://websecnerd.blogspot.in/2018/02/mybb-forum-1_21.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "MyBB 1.8.14 is not checking for a valid CSRF token, leading to arbitrary deletion of user accounts."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-02-21T20:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://websecnerd.blogspot.in/2018/02/mybb-forum-1_21.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2018-7305",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "MyBB 1.8.14 is not checking for a valid CSRF token, leading to arbitrary deletion of user accounts."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://websecnerd.blogspot.in/2018/02/mybb-forum-1_21.html",
"refsource": "MISC",
"url": "https://websecnerd.blogspot.in/2018/02/mybb-forum-1_21.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-7305",
"datePublished": "2018-02-21T20:00:00Z",
"dateReserved": "2018-02-21T00:00:00Z",
"dateUpdated": "2024-09-16T22:36:27.532Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2008-0383 (GCVE-0-2008-0383)
Vulnerability from cvelistv5
Published
2008-01-22 19:00
Modified
2024-08-07 07:46
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Multiple SQL injection vulnerabilities in MyBB 1.2.10 and earlier allow remote moderators and administrators to execute arbitrary SQL commands via (1) the mergepost parameter in a do_mergeposts action, (2) rid parameter in an allreports action, or (3) threads parameter in a do_multimovethreads action to (a) moderation.php; or (4) gid parameter to (b) admin/usergroups.php.
References
| ► | URL | Tags | ||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T07:46:54.256Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "27323",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/27323"
},
{
"name": "mybb-moderationphp-sql-injection(39728)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/39728"
},
{
"name": "28509",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/28509"
},
{
"name": "mybb-usergroups-sql-injection(39729)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/39729"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.waraxe.us/advisory-62.html"
},
{
"name": "3558",
"tags": [
"third-party-advisory",
"x_refsource_SREASON",
"x_transferred"
],
"url": "http://securityreason.com/securityalert/3558"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://community.mybboard.net/showthread.php?tid=27227"
},
{
"name": "20080116 [waraxe-2008-SA#062] - Multiple Sql Injections in MyBB 1.2.10",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/486433/100/0/threaded"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2008-01-16T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple SQL injection vulnerabilities in MyBB 1.2.10 and earlier allow remote moderators and administrators to execute arbitrary SQL commands via (1) the mergepost parameter in a do_mergeposts action, (2) rid parameter in an allreports action, or (3) threads parameter in a do_multimovethreads action to (a) moderation.php; or (4) gid parameter to (b) admin/usergroups.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-15T20:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "27323",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/27323"
},
{
"name": "mybb-moderationphp-sql-injection(39728)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/39728"
},
{
"name": "28509",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/28509"
},
{
"name": "mybb-usergroups-sql-injection(39729)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/39729"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.waraxe.us/advisory-62.html"
},
{
"name": "3558",
"tags": [
"third-party-advisory",
"x_refsource_SREASON"
],
"url": "http://securityreason.com/securityalert/3558"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://community.mybboard.net/showthread.php?tid=27227"
},
{
"name": "20080116 [waraxe-2008-SA#062] - Multiple Sql Injections in MyBB 1.2.10",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/486433/100/0/threaded"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2008-0383",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple SQL injection vulnerabilities in MyBB 1.2.10 and earlier allow remote moderators and administrators to execute arbitrary SQL commands via (1) the mergepost parameter in a do_mergeposts action, (2) rid parameter in an allreports action, or (3) threads parameter in a do_multimovethreads action to (a) moderation.php; or (4) gid parameter to (b) admin/usergroups.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "27323",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/27323"
},
{
"name": "mybb-moderationphp-sql-injection(39728)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/39728"
},
{
"name": "28509",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/28509"
},
{
"name": "mybb-usergroups-sql-injection(39729)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/39729"
},
{
"name": "http://www.waraxe.us/advisory-62.html",
"refsource": "MISC",
"url": "http://www.waraxe.us/advisory-62.html"
},
{
"name": "3558",
"refsource": "SREASON",
"url": "http://securityreason.com/securityalert/3558"
},
{
"name": "http://community.mybboard.net/showthread.php?tid=27227",
"refsource": "CONFIRM",
"url": "http://community.mybboard.net/showthread.php?tid=27227"
},
{
"name": "20080116 [waraxe-2008-SA#062] - Multiple Sql Injections in MyBB 1.2.10",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/486433/100/0/threaded"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2008-0383",
"datePublished": "2008-01-22T19:00:00",
"dateReserved": "2008-01-22T00:00:00",
"dateUpdated": "2024-08-07T07:46:54.256Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2010-4629 (GCVE-0-2010-4629)
Vulnerability from cvelistv5
Published
2010-12-30 20:00
Modified
2024-08-07 03:51
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
MyBB (aka MyBulletinBoard) before 1.4.12 does not properly restrict uid values for group join requests, which allows remote attackers to cause a denial of service (resource consumption) by using guest access to submit join request forms for moderated groups, related to usercp.php and managegroup.php.
References
| ► | URL | Tags | |||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T03:51:17.935Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "mybb-uid-values-dos(64513)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/64513"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://blog.mybb.com/2010/04/13/mybb-1-4-12-released-security-maintenance-update/"
},
{
"name": "[oss-security] 20101008 CVE request: mybb before 1.4.11 and before 1.4.12",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://openwall.com/lists/oss-security/2010/10/08/7"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://dev.mybboard.net/projects/mybb/repository/revisions/4856"
},
{
"name": "[oss-security] 20101011 Re: CVE request: mybb before 1.4.11 and before 1.4.12",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://openwall.com/lists/oss-security/2010/10/11/8"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://dev.mybboard.net/issues/722"
},
{
"name": "[oss-security] 20101206 Re: CVE request: mybb before 1.4.11 and before 1.4.12",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://openwall.com/lists/oss-security/2010/12/06/2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2010-04-13T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "MyBB (aka MyBulletinBoard) before 1.4.12 does not properly restrict uid values for group join requests, which allows remote attackers to cause a denial of service (resource consumption) by using guest access to submit join request forms for moderated groups, related to usercp.php and managegroup.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-16T14:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "mybb-uid-values-dos(64513)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/64513"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://blog.mybb.com/2010/04/13/mybb-1-4-12-released-security-maintenance-update/"
},
{
"name": "[oss-security] 20101008 CVE request: mybb before 1.4.11 and before 1.4.12",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://openwall.com/lists/oss-security/2010/10/08/7"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://dev.mybboard.net/projects/mybb/repository/revisions/4856"
},
{
"name": "[oss-security] 20101011 Re: CVE request: mybb before 1.4.11 and before 1.4.12",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://openwall.com/lists/oss-security/2010/10/11/8"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://dev.mybboard.net/issues/722"
},
{
"name": "[oss-security] 20101206 Re: CVE request: mybb before 1.4.11 and before 1.4.12",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://openwall.com/lists/oss-security/2010/12/06/2"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2010-4629",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "MyBB (aka MyBulletinBoard) before 1.4.12 does not properly restrict uid values for group join requests, which allows remote attackers to cause a denial of service (resource consumption) by using guest access to submit join request forms for moderated groups, related to usercp.php and managegroup.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "mybb-uid-values-dos(64513)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/64513"
},
{
"name": "http://blog.mybb.com/2010/04/13/mybb-1-4-12-released-security-maintenance-update/",
"refsource": "CONFIRM",
"url": "http://blog.mybb.com/2010/04/13/mybb-1-4-12-released-security-maintenance-update/"
},
{
"name": "[oss-security] 20101008 CVE request: mybb before 1.4.11 and before 1.4.12",
"refsource": "MLIST",
"url": "http://openwall.com/lists/oss-security/2010/10/08/7"
},
{
"name": "http://dev.mybboard.net/projects/mybb/repository/revisions/4856",
"refsource": "CONFIRM",
"url": "http://dev.mybboard.net/projects/mybb/repository/revisions/4856"
},
{
"name": "[oss-security] 20101011 Re: CVE request: mybb before 1.4.11 and before 1.4.12",
"refsource": "MLIST",
"url": "http://openwall.com/lists/oss-security/2010/10/11/8"
},
{
"name": "http://dev.mybboard.net/issues/722",
"refsource": "CONFIRM",
"url": "http://dev.mybboard.net/issues/722"
},
{
"name": "[oss-security] 20101206 Re: CVE request: mybb before 1.4.11 and before 1.4.12",
"refsource": "MLIST",
"url": "http://openwall.com/lists/oss-security/2010/12/06/2"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2010-4629",
"datePublished": "2010-12-30T20:00:00",
"dateReserved": "2010-12-30T00:00:00",
"dateUpdated": "2024-08-07T03:51:17.935Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-9406 (GCVE-0-2016-9406)
Vulnerability from cvelistv5
Published
2017-01-31 22:00
Modified
2024-08-06 02:50
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Cross-site scripting (XSS) vulnerability in the User control panel in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 might allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
References
| ► | URL | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T02:50:37.700Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "94395",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/94395"
},
{
"name": "[oss-security] 20161117 Re: CVE request: MyBB multiple vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/18/1"
},
{
"name": "[oss-security] 20161110 CVE request: MyBB multiple vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/10/8"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://blog.mybb.com/2016/03/11/mybb-1-8-7-merge-system-1-8-7-release/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-03-11T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the User control panel in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 might allow remote attackers to inject arbitrary web script or HTML via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-02-01T10:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "94395",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/94395"
},
{
"name": "[oss-security] 20161117 Re: CVE request: MyBB multiple vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/18/1"
},
{
"name": "[oss-security] 20161110 CVE request: MyBB multiple vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/10/8"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://blog.mybb.com/2016/03/11/mybb-1-8-7-merge-system-1-8-7-release/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-9406",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in the User control panel in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 might allow remote attackers to inject arbitrary web script or HTML via unspecified vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "94395",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/94395"
},
{
"name": "[oss-security] 20161117 Re: CVE request: MyBB multiple vulnerabilities",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2016/11/18/1"
},
{
"name": "[oss-security] 20161110 CVE request: MyBB multiple vulnerabilities",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2016/11/10/8"
},
{
"name": "https://blog.mybb.com/2016/03/11/mybb-1-8-7-merge-system-1-8-7-release/",
"refsource": "CONFIRM",
"url": "https://blog.mybb.com/2016/03/11/mybb-1-8-7-merge-system-1-8-7-release/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-9406",
"datePublished": "2017-01-31T22:00:00",
"dateReserved": "2016-11-17T00:00:00",
"dateUpdated": "2024-08-06T02:50:37.700Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-27889 (GCVE-0-2021-27889)
Vulnerability from cvelistv5
Published
2021-03-15 16:57
Modified
2024-08-03 21:33
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Cross-site Scripting (XSS) vulnerability in MyBB before 1.8.26 via Nested Auto URL when parsing messages.
References
| ► | URL | Tags |
|---|---|---|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:33:17.199Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/mybb/mybb/security/advisories/GHSA-xhj7-3349-mqcm"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/161908/MyBB-1.8.25-Remote-Command-Execution.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://blog.sonarsource.com/mybb-remote-code-execution-chain"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site Scripting (XSS) vulnerability in MyBB before 1.8.26 via Nested Auto URL when parsing messages."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-08-20T18:15:33",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mybb/mybb/security/advisories/GHSA-xhj7-3349-mqcm"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/161908/MyBB-1.8.25-Remote-Command-Execution.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://blog.sonarsource.com/mybb-remote-code-execution-chain"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-27889",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site Scripting (XSS) vulnerability in MyBB before 1.8.26 via Nested Auto URL when parsing messages."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/mybb/mybb/security/advisories/GHSA-xhj7-3349-mqcm",
"refsource": "MISC",
"url": "https://github.com/mybb/mybb/security/advisories/GHSA-xhj7-3349-mqcm"
},
{
"name": "http://packetstormsecurity.com/files/161908/MyBB-1.8.25-Remote-Command-Execution.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/161908/MyBB-1.8.25-Remote-Command-Execution.html"
},
{
"name": "https://blog.sonarsource.com/mybb-remote-code-execution-chain",
"refsource": "MISC",
"url": "https://blog.sonarsource.com/mybb-remote-code-execution-chain"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-27889",
"datePublished": "2021-03-15T16:57:02",
"dateReserved": "2021-03-02T00:00:00",
"dateUpdated": "2024-08-03T21:33:17.199Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-5248 (GCVE-0-2014-5248)
Vulnerability from cvelistv5
Published
2014-08-14 18:00
Modified
2024-09-16 21:04
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Cross-site scripting (XSS) vulnerability in MyBB before 1.6.15 allows remote attackers to inject arbitrary web script or HTML via vectors related to video MyCode.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T11:41:47.719Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "59707",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/59707"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://blog.mybb.com/2014/08/04/mybb-1-6-15-released-security-maintenance-release"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in MyBB before 1.6.15 allows remote attackers to inject arbitrary web script or HTML via vectors related to video MyCode."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-08-14T18:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "59707",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/59707"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://blog.mybb.com/2014/08/04/mybb-1-6-15-released-security-maintenance-release"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-5248",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in MyBB before 1.6.15 allows remote attackers to inject arbitrary web script or HTML via vectors related to video MyCode."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "59707",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/59707"
},
{
"name": "http://blog.mybb.com/2014/08/04/mybb-1-6-15-released-security-maintenance-release",
"refsource": "CONFIRM",
"url": "http://blog.mybb.com/2014/08/04/mybb-1-6-15-released-security-maintenance-release"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2014-5248",
"datePublished": "2014-08-14T18:00:00Z",
"dateReserved": "2014-08-14T00:00:00Z",
"dateUpdated": "2024-09-16T21:04:27.064Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2008-3966 (GCVE-0-2008-3966)
Vulnerability from cvelistv5
Published
2008-09-10 15:00
Modified
2024-08-07 10:00
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Multiple cross-site scripting (XSS) vulnerabilities in MyBB (aka MyBulletinBoard) before 1.4.1 allow remote attackers to inject arbitrary web script or HTML via (1) a certain referrer field in usercp2.php, (2) a certain location field in inc/functions_online.php, and certain (3) tsubject and (4) psubject fields in moderation.php.
References
| ► | URL | Tags | ||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T10:00:42.292Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[oss-security] 20080909 CVE request: mybb \u003c 1.4.1",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2008/09/09/1"
},
{
"name": "31760",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/31760"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://community.mybboard.net/showthread.php?tid=36022"
},
{
"name": "31104",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/31104"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://community.mybboard.net/attachment.php?aid=10579"
},
{
"name": "[oss-security] 20080909 Re: CVE request: mybb \u003c 1.4.1",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2008/09/09/9"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2008-09-09T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in MyBB (aka MyBulletinBoard) before 1.4.1 allow remote attackers to inject arbitrary web script or HTML via (1) a certain referrer field in usercp2.php, (2) a certain location field in inc/functions_online.php, and certain (3) tsubject and (4) psubject fields in moderation.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2008-10-24T09:00:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "[oss-security] 20080909 CVE request: mybb \u003c 1.4.1",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2008/09/09/1"
},
{
"name": "31760",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/31760"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://community.mybboard.net/showthread.php?tid=36022"
},
{
"name": "31104",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/31104"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://community.mybboard.net/attachment.php?aid=10579"
},
{
"name": "[oss-security] 20080909 Re: CVE request: mybb \u003c 1.4.1",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2008/09/09/9"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2008-3966",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in MyBB (aka MyBulletinBoard) before 1.4.1 allow remote attackers to inject arbitrary web script or HTML via (1) a certain referrer field in usercp2.php, (2) a certain location field in inc/functions_online.php, and certain (3) tsubject and (4) psubject fields in moderation.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[oss-security] 20080909 CVE request: mybb \u003c 1.4.1",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2008/09/09/1"
},
{
"name": "31760",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/31760"
},
{
"name": "http://community.mybboard.net/showthread.php?tid=36022",
"refsource": "CONFIRM",
"url": "http://community.mybboard.net/showthread.php?tid=36022"
},
{
"name": "31104",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/31104"
},
{
"name": "http://community.mybboard.net/attachment.php?aid=10579",
"refsource": "CONFIRM",
"url": "http://community.mybboard.net/attachment.php?aid=10579"
},
{
"name": "[oss-security] 20080909 Re: CVE request: mybb \u003c 1.4.1",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2008/09/09/9"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2008-3966",
"datePublished": "2008-09-10T15:00:00",
"dateReserved": "2008-09-09T00:00:00",
"dateUpdated": "2024-08-07T10:00:42.292Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}