CVE-2006-4706 - Cross-site scripting (XSS) vulnerability in inc/functions_post.php in MyBB (aka MyBulletinBoard) 1.1

CVE-2006-4706

Summary

Cross-site scripting (XSS) vulnerability in inc/functions_post.php in MyBB (aka MyBulletinBoard) 1.1.7 allows remote attackers to inject arbitrary web script or HTML via a url BBCode tag that contains a javascript URI with an SGML numeric character reference and an embedded space, as demonstrated using "java& #115;cript," a different vulnerability than CVE-2006-3761. This vulnerability is addressed in the following product release: MyBB, MyBB, 1.1.8

References

Vulnerable Configurations

cpe:2.3:a:mybulletinboard:mybulletinboard:1.1.7:*:*:*:*:*:*:*
cpe:2.3:a:mybulletinboard:mybulletinboard:1.1.7:*:*:*:*:*:*:*

CVSS

Base:	6.8 (as of 17-10-2018 - 21:39)
Impact:
Exploitability:

CWE

NVD-CWE-Other

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	MEDIUM	NONE

Impact

Confidentiality	Integrity	Availability
PARTIAL	PARTIAL	PARTIAL

cvss-vector via4

AV:N/AC:M/Au:N/C:P/I:P/A:P

refmap via4

bugtraq	20060830 [KAPDA]MyBB 1.1.7~ htmlspeacialchar_uni(), fixjavascript(), functions_post.php ~[url]XSS attack
confirm	http://www.mybboard.com/archive.php?nid=18
misc	http://myimei.com/security/2006-08-15/mybb-117-htmlspeacialchar_uni-fixjavascript-functions_postphp-urlxss-attack.html
secunia	21697
sreason	1541
vupen	ADV-2006-3418

Last major update

17-10-2018 - 21:39

Published

12-09-2006 - 16:07

Last modified

17-10-2018 - 21:39