Vulnerabilites related to mybboard - mybb
cve-2008-7082
Vulnerability from cvelistv5
Published
2009-08-25 10:00
Modified
2024-08-07 11:56
Severity ?
EPSS score ?
Summary
MyBB (aka MyBulletinBoard) 1.4.3 includes the sensitive my_post_key parameter in URLs to moderation.php with the (1) mergeposts, (2) split, and (3) deleteposts actions, which allows remote attackers to steal the token and bypass the cross-site request forgery (CSRF) protection mechanism to hijack the authentication of moderators by reading the token from the HTTP Referer header.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/archive/1/498630/100/0/threaded | mailing-list, x_refsource_BUGTRAQ | |
| http://www.securityfocus.com/bid/32467 | vdb-entry, x_refsource_BID | |
| http://secunia.com/advisories/32880 | third-party-advisory, x_refsource_SECUNIA | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/46885 | vdb-entry, x_refsource_XF | |
| http://osvdb.org/50275 | vdb-entry, x_refsource_OSVDB |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-07T11:56:14.019Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "20081125 MyBB 1.4.3 my_post_key Disclosure Vulnerability", tags: [ "mailing-list", "x_refsource_BUGTRAQ", "x_transferred", ], url: "http://www.securityfocus.com/archive/1/498630/100/0/threaded", }, { name: "32467", tags: [ "vdb-entry", "x_refsource_BID", "x_transferred", ], url: "http://www.securityfocus.com/bid/32467", }, { name: "32880", tags: [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred", ], url: "http://secunia.com/advisories/32880", }, { name: "mybb-mypostkey-weak-security(46885)", tags: [ "vdb-entry", "x_refsource_XF", "x_transferred", ], url: "https://exchange.xforce.ibmcloud.com/vulnerabilities/46885", }, { name: "50275", tags: [ "vdb-entry", "x_refsource_OSVDB", "x_transferred", ], url: "http://osvdb.org/50275", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2008-11-25T00:00:00", descriptions: [ { lang: "en", value: "MyBB (aka MyBulletinBoard) 1.4.3 includes the sensitive my_post_key parameter in URLs to moderation.php with the (1) mergeposts, (2) split, and (3) deleteposts actions, which allows remote attackers to steal the token and bypass the cross-site request forgery (CSRF) protection mechanism to hijack the authentication of moderators by reading the token from the HTTP Referer header.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2018-10-11T19:57:01", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { name: "20081125 MyBB 1.4.3 my_post_key Disclosure Vulnerability", tags: [ "mailing-list", "x_refsource_BUGTRAQ", ], url: "http://www.securityfocus.com/archive/1/498630/100/0/threaded", }, { name: "32467", tags: [ "vdb-entry", "x_refsource_BID", ], url: "http://www.securityfocus.com/bid/32467", }, { name: "32880", tags: [ "third-party-advisory", "x_refsource_SECUNIA", ], url: "http://secunia.com/advisories/32880", }, { name: "mybb-mypostkey-weak-security(46885)", tags: [ "vdb-entry", "x_refsource_XF", ], url: "https://exchange.xforce.ibmcloud.com/vulnerabilities/46885", }, { name: "50275", tags: [ "vdb-entry", "x_refsource_OSVDB", ], url: "http://osvdb.org/50275", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2008-7082", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "MyBB (aka MyBulletinBoard) 1.4.3 includes the sensitive my_post_key parameter in URLs to moderation.php with the (1) mergeposts, (2) split, and (3) deleteposts actions, which allows remote attackers to steal the token and bypass the cross-site request forgery (CSRF) protection mechanism to hijack the authentication of moderators by reading the token from the HTTP Referer header.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "20081125 MyBB 1.4.3 my_post_key Disclosure Vulnerability", refsource: "BUGTRAQ", url: "http://www.securityfocus.com/archive/1/498630/100/0/threaded", }, { name: "32467", refsource: "BID", url: "http://www.securityfocus.com/bid/32467", }, { name: "32880", refsource: "SECUNIA", url: "http://secunia.com/advisories/32880", }, { name: "mybb-mypostkey-weak-security(46885)", refsource: "XF", url: "https://exchange.xforce.ibmcloud.com/vulnerabilities/46885", }, { name: "50275", refsource: "OSVDB", url: "http://osvdb.org/50275", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2008-7082", datePublished: "2009-08-25T10:00:00", dateReserved: "2009-08-24T00:00:00", dateUpdated: "2024-08-07T11:56:14.019Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2009-4813
Vulnerability from cvelistv5
Published
2010-04-27 15:00
Modified
2024-08-07 07:17
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) vulnerability in myps.php in MyBB (aka MyBulletinBoard) 1.4.10 allows remote attackers to inject arbitrary web script or HTML via the username parameter in a donate action.
References
| ▼ | URL | Tags |
|---|---|---|
| http://secunia.com/advisories/37910 | third-party-advisory, x_refsource_SECUNIA | |
| http://www.exploit-db.com/exploits/10622 | exploit, x_refsource_EXPLOIT-DB | |
| http://www.securityfocus.com/bid/37464 | vdb-entry, x_refsource_BID | |
| http://osvdb.org/61298 | vdb-entry, x_refsource_OSVDB |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-07T07:17:25.551Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "37910", tags: [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred", ], url: "http://secunia.com/advisories/37910", }, { name: "10622", tags: [ "exploit", "x_refsource_EXPLOIT-DB", "x_transferred", ], url: "http://www.exploit-db.com/exploits/10622", }, { name: "37464", tags: [ "vdb-entry", "x_refsource_BID", "x_transferred", ], url: "http://www.securityfocus.com/bid/37464", }, { name: "61298", tags: [ "vdb-entry", "x_refsource_OSVDB", "x_transferred", ], url: "http://osvdb.org/61298", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2009-12-23T00:00:00", descriptions: [ { lang: "en", value: "Cross-site scripting (XSS) vulnerability in myps.php in MyBB (aka MyBulletinBoard) 1.4.10 allows remote attackers to inject arbitrary web script or HTML via the username parameter in a donate action.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2010-06-17T09:00:00", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { name: "37910", tags: [ "third-party-advisory", "x_refsource_SECUNIA", ], url: "http://secunia.com/advisories/37910", }, { name: "10622", tags: [ "exploit", "x_refsource_EXPLOIT-DB", ], url: "http://www.exploit-db.com/exploits/10622", }, { name: "37464", tags: [ "vdb-entry", "x_refsource_BID", ], url: "http://www.securityfocus.com/bid/37464", }, { name: "61298", tags: [ "vdb-entry", "x_refsource_OSVDB", ], url: "http://osvdb.org/61298", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2009-4813", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Cross-site scripting (XSS) vulnerability in myps.php in MyBB (aka MyBulletinBoard) 1.4.10 allows remote attackers to inject arbitrary web script or HTML via the username parameter in a donate action.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "37910", refsource: "SECUNIA", url: "http://secunia.com/advisories/37910", }, { name: "10622", refsource: "EXPLOIT-DB", url: "http://www.exploit-db.com/exploits/10622", }, { name: "37464", refsource: "BID", url: "http://www.securityfocus.com/bid/37464", }, { name: "61298", refsource: "OSVDB", url: "http://osvdb.org/61298", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2009-4813", datePublished: "2010-04-27T15:00:00", dateReserved: "2010-04-27T00:00:00", dateUpdated: "2024-08-07T07:17:25.551Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2009-4448
Vulnerability from cvelistv5
Published
2009-12-29 20:15
Modified
2024-08-07 07:01
Severity ?
EPSS score ?
Summary
inc/functions_time.php in MyBB (aka MyBulletinBoard) 1.4.10, and possibly earlier versions, allows remote attackers to cause a denial of service (CPU consumption) via a crafted request with a large year value, which triggers a long loop, as reachable through member.php and possibly other vectors.
References
| ▼ | URL | Tags |
|---|---|---|
| http://openwall.com/lists/oss-security/2010/10/08/7 | mailing-list, x_refsource_MLIST | |
| http://secunia.com/advisories/37906 | third-party-advisory, x_refsource_SECUNIA | |
| http://openwall.com/lists/oss-security/2010/10/11/8 | mailing-list, x_refsource_MLIST | |
| http://openwall.com/lists/oss-security/2010/12/06/2 | mailing-list, x_refsource_MLIST | |
| http://dev.mybboard.net/projects/mybb/repository/revisions/4613/diff/branches/1.4-stable/inc/functions_time.php | x_refsource_CONFIRM | |
| http://dev.mybboard.net/issues/600 | x_refsource_CONFIRM | |
| http://blog.mybboard.net/2009/12/29/mybb-1-4-11-released-minor-patch-security-update/ | x_refsource_CONFIRM |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-07T07:01:20.701Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "[oss-security] 20101008 CVE request: mybb before 1.4.11 and before 1.4.12", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "http://openwall.com/lists/oss-security/2010/10/08/7", }, { name: "37906", tags: [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred", ], url: "http://secunia.com/advisories/37906", }, { name: "[oss-security] 20101011 Re: CVE request: mybb before 1.4.11 and before 1.4.12", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "http://openwall.com/lists/oss-security/2010/10/11/8", }, { name: "[oss-security] 20101206 Re: CVE request: mybb before 1.4.11 and before 1.4.12", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "http://openwall.com/lists/oss-security/2010/12/06/2", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://dev.mybboard.net/projects/mybb/repository/revisions/4613/diff/branches/1.4-stable/inc/functions_time.php", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://dev.mybboard.net/issues/600", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://blog.mybboard.net/2009/12/29/mybb-1-4-11-released-minor-patch-security-update/", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2009-12-28T00:00:00", descriptions: [ { lang: "en", value: "inc/functions_time.php in MyBB (aka MyBulletinBoard) 1.4.10, and possibly earlier versions, allows remote attackers to cause a denial of service (CPU consumption) via a crafted request with a large year value, which triggers a long loop, as reachable through member.php and possibly other vectors.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2011-01-04T10:00:00", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { name: "[oss-security] 20101008 CVE request: mybb before 1.4.11 and before 1.4.12", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "http://openwall.com/lists/oss-security/2010/10/08/7", }, { name: "37906", tags: [ "third-party-advisory", "x_refsource_SECUNIA", ], url: "http://secunia.com/advisories/37906", }, { name: "[oss-security] 20101011 Re: CVE request: mybb before 1.4.11 and before 1.4.12", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "http://openwall.com/lists/oss-security/2010/10/11/8", }, { name: "[oss-security] 20101206 Re: CVE request: mybb before 1.4.11 and before 1.4.12", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "http://openwall.com/lists/oss-security/2010/12/06/2", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://dev.mybboard.net/projects/mybb/repository/revisions/4613/diff/branches/1.4-stable/inc/functions_time.php", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://dev.mybboard.net/issues/600", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://blog.mybboard.net/2009/12/29/mybb-1-4-11-released-minor-patch-security-update/", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2009-4448", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "inc/functions_time.php in MyBB (aka MyBulletinBoard) 1.4.10, and possibly earlier versions, allows remote attackers to cause a denial of service (CPU consumption) via a crafted request with a large year value, which triggers a long loop, as reachable through member.php and possibly other vectors.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "[oss-security] 20101008 CVE request: mybb before 1.4.11 and before 1.4.12", refsource: "MLIST", url: "http://openwall.com/lists/oss-security/2010/10/08/7", }, { name: "37906", refsource: "SECUNIA", url: "http://secunia.com/advisories/37906", }, { name: "[oss-security] 20101011 Re: CVE request: mybb before 1.4.11 and before 1.4.12", refsource: "MLIST", url: "http://openwall.com/lists/oss-security/2010/10/11/8", }, { name: "[oss-security] 20101206 Re: CVE request: mybb before 1.4.11 and before 1.4.12", refsource: "MLIST", url: "http://openwall.com/lists/oss-security/2010/12/06/2", }, { name: "http://dev.mybboard.net/projects/mybb/repository/revisions/4613/diff/branches/1.4-stable/inc/functions_time.php", refsource: "CONFIRM", url: "http://dev.mybboard.net/projects/mybb/repository/revisions/4613/diff/branches/1.4-stable/inc/functions_time.php", }, { name: "http://dev.mybboard.net/issues/600", refsource: "CONFIRM", url: "http://dev.mybboard.net/issues/600", }, { name: "http://blog.mybboard.net/2009/12/29/mybb-1-4-11-released-minor-patch-security-update/", refsource: "CONFIRM", url: "http://blog.mybboard.net/2009/12/29/mybb-1-4-11-released-minor-patch-security-update/", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2009-4448", datePublished: "2009-12-29T20:15:00", dateReserved: "2009-12-29T00:00:00", dateUpdated: "2024-08-07T07:01:20.701Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2008-6198
Vulnerability from cvelistv5
Published
2009-02-20 00:00
Modified
2024-08-07 11:20
Severity ?
EPSS score ?
Summary
SQL injection vulnerability in pages.php in Custom Pages 1.0 plugin for MyBulletinBoard (MyBB) allows remote attackers to execute arbitrary SQL commands via the page parameter.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.exploit-db.com/exploits/5379 | exploit, x_refsource_EXPLOIT-DB | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/41685 | vdb-entry, x_refsource_XF | |
| http://www.securityfocus.com/bid/28652 | vdb-entry, x_refsource_BID |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-07T11:20:25.324Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "5379", tags: [ "exploit", "x_refsource_EXPLOIT-DB", "x_transferred", ], url: "https://www.exploit-db.com/exploits/5379", }, { name: "custompages-pages-sql-injection(41685)", tags: [ "vdb-entry", "x_refsource_XF", "x_transferred", ], url: "https://exchange.xforce.ibmcloud.com/vulnerabilities/41685", }, { name: "28652", tags: [ "vdb-entry", "x_refsource_BID", "x_transferred", ], url: "http://www.securityfocus.com/bid/28652", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2008-04-06T00:00:00", descriptions: [ { lang: "en", value: "SQL injection vulnerability in pages.php in Custom Pages 1.0 plugin for MyBulletinBoard (MyBB) allows remote attackers to execute arbitrary SQL commands via the page parameter.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2017-09-28T12:57:01", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { name: "5379", tags: [ "exploit", "x_refsource_EXPLOIT-DB", ], url: "https://www.exploit-db.com/exploits/5379", }, { name: "custompages-pages-sql-injection(41685)", tags: [ "vdb-entry", "x_refsource_XF", ], url: "https://exchange.xforce.ibmcloud.com/vulnerabilities/41685", }, { name: "28652", tags: [ "vdb-entry", "x_refsource_BID", ], url: "http://www.securityfocus.com/bid/28652", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2008-6198", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "SQL injection vulnerability in pages.php in Custom Pages 1.0 plugin for MyBulletinBoard (MyBB) allows remote attackers to execute arbitrary SQL commands via the page parameter.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "5379", refsource: "EXPLOIT-DB", url: "https://www.exploit-db.com/exploits/5379", }, { name: "custompages-pages-sql-injection(41685)", refsource: "XF", url: "https://exchange.xforce.ibmcloud.com/vulnerabilities/41685", }, { name: "28652", refsource: "BID", url: "http://www.securityfocus.com/bid/28652", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2008-6198", datePublished: "2009-02-20T00:00:00", dateReserved: "2009-02-19T00:00:00", dateUpdated: "2024-08-07T11:20:25.324Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2010-5096
Vulnerability from cvelistv5
Published
2012-08-13 23:00
Modified
2024-09-17 04:10
Severity ?
EPSS score ?
Summary
Multiple SQL injection vulnerabilities in MyBB (aka MyBulletinBoard) before 1.6.1 allow remote attackers to execute arbitrary SQL commands via the keywords parameter in a (1) do_search action to search.php or (2) do_stuff action to private.php. NOTE: the vendor disputes this issue, saying "Although this doesn't lead to an SQL injection, it does provide a general MyBB SQL error.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.osvdb.org/70014 | vdb-entry, x_refsource_OSVDB | |
| http://dev.mybb.com/issues/1330 | x_refsource_MISC | |
| http://www.openwall.com/lists/oss-security/2012/05/08/7 | mailing-list, x_refsource_MLIST | |
| http://www.osvdb.org/70013 | vdb-entry, x_refsource_OSVDB | |
| http://www.securityfocus.com/bid/45565 | vdb-entry, x_refsource_BID | |
| http://www.openwall.com/lists/oss-security/2012/03/25/1 | mailing-list, x_refsource_MLIST | |
| http://www.openwall.com/lists/oss-security/2012/05/08/3 | mailing-list, x_refsource_MLIST | |
| http://www.openwall.com/lists/oss-security/2012/03/23/4 | mailing-list, x_refsource_MLIST |
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2010-5096", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-05-08T15:52:23.724097Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-06-04T18:44:49.399Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "ADP Container", }, { providerMetadata: { dateUpdated: "2024-08-07T04:09:39.121Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "70014", tags: [ "vdb-entry", "x_refsource_OSVDB", "x_transferred", ], url: "http://www.osvdb.org/70014", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "http://dev.mybb.com/issues/1330", }, { name: "[oss-security] 20120508 Re: CVE-request: MyBB before 1.6.1", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "http://www.openwall.com/lists/oss-security/2012/05/08/7", }, { name: "70013", tags: [ "vdb-entry", "x_refsource_OSVDB", "x_transferred", ], url: "http://www.osvdb.org/70013", }, { name: "45565", tags: [ "vdb-entry", "x_refsource_BID", "x_transferred", ], url: "http://www.securityfocus.com/bid/45565", }, { name: "[oss-security] 20120325 Re: CVE-request: MyBB 1.6 <= SQL Injection", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "http://www.openwall.com/lists/oss-security/2012/03/25/1", }, { name: "[oss-security] 20120508 CVE-request: MyBB before 1.6.1", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "http://www.openwall.com/lists/oss-security/2012/05/08/3", }, { name: "[oss-security] 20120323 CVE-request: MyBB 1.6 <= SQL Injection", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "http://www.openwall.com/lists/oss-security/2012/03/23/4", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], descriptions: [ { lang: "en", value: "Multiple SQL injection vulnerabilities in MyBB (aka MyBulletinBoard) before 1.6.1 allow remote attackers to execute arbitrary SQL commands via the keywords parameter in a (1) do_search action to search.php or (2) do_stuff action to private.php. NOTE: the vendor disputes this issue, saying \"Although this doesn't lead to an SQL injection, it does provide a general MyBB SQL error.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2012-08-13T23:00:00Z", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { name: "70014", tags: [ "vdb-entry", "x_refsource_OSVDB", ], url: "http://www.osvdb.org/70014", }, { tags: [ "x_refsource_MISC", ], url: "http://dev.mybb.com/issues/1330", }, { name: "[oss-security] 20120508 Re: CVE-request: MyBB before 1.6.1", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "http://www.openwall.com/lists/oss-security/2012/05/08/7", }, { name: "70013", tags: [ "vdb-entry", "x_refsource_OSVDB", ], url: "http://www.osvdb.org/70013", }, { name: "45565", tags: [ "vdb-entry", "x_refsource_BID", ], url: "http://www.securityfocus.com/bid/45565", }, { name: "[oss-security] 20120325 Re: CVE-request: MyBB 1.6 <= SQL Injection", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "http://www.openwall.com/lists/oss-security/2012/03/25/1", }, { name: "[oss-security] 20120508 CVE-request: MyBB before 1.6.1", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "http://www.openwall.com/lists/oss-security/2012/05/08/3", }, { name: "[oss-security] 20120323 CVE-request: MyBB 1.6 <= SQL Injection", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "http://www.openwall.com/lists/oss-security/2012/03/23/4", }, ], tags: [ "disputed", ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "secalert@redhat.com", ID: "CVE-2010-5096", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "** DISPUTED ** Multiple SQL injection vulnerabilities in MyBB (aka MyBulletinBoard) before 1.6.1 allow remote attackers to execute arbitrary SQL commands via the keywords parameter in a (1) do_search action to search.php or (2) do_stuff action to private.php. NOTE: the vendor disputes this issue, saying \"Although this doesn't lead to an SQL injection, it does provide a general MyBB SQL error.\"", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "70014", refsource: "OSVDB", url: "http://www.osvdb.org/70014", }, { name: "http://dev.mybb.com/issues/1330", refsource: "MISC", url: "http://dev.mybb.com/issues/1330", }, { name: "[oss-security] 20120508 Re: CVE-request: MyBB before 1.6.1", refsource: "MLIST", url: "http://www.openwall.com/lists/oss-security/2012/05/08/7", }, { name: "70013", refsource: "OSVDB", url: "http://www.osvdb.org/70013", }, { name: "45565", refsource: "BID", url: "http://www.securityfocus.com/bid/45565", }, { name: "[oss-security] 20120325 Re: CVE-request: MyBB 1.6 <= SQL Injection", refsource: "MLIST", url: "http://www.openwall.com/lists/oss-security/2012/03/25/1", }, { name: "[oss-security] 20120508 CVE-request: MyBB before 1.6.1", refsource: "MLIST", url: "http://www.openwall.com/lists/oss-security/2012/05/08/3", }, { name: "[oss-security] 20120323 CVE-request: MyBB 1.6 <= SQL Injection", refsource: "MLIST", url: "http://www.openwall.com/lists/oss-security/2012/03/23/4", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2010-5096", datePublished: "2012-08-13T23:00:00Z", dateReserved: "2012-04-30T00:00:00Z", dateUpdated: "2024-09-17T04:10:28.021Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2009-4449
Vulnerability from cvelistv5
Published
2009-12-29 20:15
Modified
2024-08-07 07:01
Severity ?
EPSS score ?
Summary
Directory traversal vulnerability in MyBB (aka MyBulletinBoard) 1.4.10, and possibly earlier versions, when changing the user avatar from the gallery, allows remote authenticated users to determine the existence of files via directory traversal sequences in the avatar and possibly the gallery parameters, related to (1) admin/modules/user/users.php and (2) usercp.php.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/bid/37489 | vdb-entry, x_refsource_BID | |
| http://openwall.com/lists/oss-security/2010/10/08/7 | mailing-list, x_refsource_MLIST | |
| http://dev.mybboard.net/projects/mybb/repository/revisions/4663/diff/branches/1.4-stable/admin/modules/user/users.php | x_refsource_CONFIRM | |
| http://secunia.com/advisories/37906 | third-party-advisory, x_refsource_SECUNIA | |
| http://openwall.com/lists/oss-security/2010/10/11/8 | mailing-list, x_refsource_MLIST | |
| http://dev.mybboard.net/issues/617 | x_refsource_CONFIRM | |
| http://www.vupen.com/english/advisories/2009/3651 | vdb-entry, x_refsource_VUPEN | |
| http://openwall.com/lists/oss-security/2010/12/06/2 | mailing-list, x_refsource_MLIST | |
| http://osvdb.org/61359 | vdb-entry, x_refsource_OSVDB | |
| http://blog.mybboard.net/2009/12/29/mybb-1-4-11-released-minor-patch-security-update/ | x_refsource_CONFIRM | |
| http://dev.mybboard.net/projects/mybb/repository/revisions/4663/diff/branches/1.4-stable/usercp.php | x_refsource_CONFIRM |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-07T07:01:20.338Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "37489", tags: [ "vdb-entry", "x_refsource_BID", "x_transferred", ], url: "http://www.securityfocus.com/bid/37489", }, { name: "[oss-security] 20101008 CVE request: mybb before 1.4.11 and before 1.4.12", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "http://openwall.com/lists/oss-security/2010/10/08/7", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://dev.mybboard.net/projects/mybb/repository/revisions/4663/diff/branches/1.4-stable/admin/modules/user/users.php", }, { name: "37906", tags: [ "third-party-advisory", "x_refsource_SECUNIA", "x_transferred", ], url: "http://secunia.com/advisories/37906", }, { name: "[oss-security] 20101011 Re: CVE request: mybb before 1.4.11 and before 1.4.12", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "http://openwall.com/lists/oss-security/2010/10/11/8", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://dev.mybboard.net/issues/617", }, { name: "ADV-2009-3651", tags: [ "vdb-entry", "x_refsource_VUPEN", "x_transferred", ], url: "http://www.vupen.com/english/advisories/2009/3651", }, { name: "[oss-security] 20101206 Re: CVE request: mybb before 1.4.11 and before 1.4.12", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "http://openwall.com/lists/oss-security/2010/12/06/2", }, { name: "61359", tags: [ "vdb-entry", "x_refsource_OSVDB", "x_transferred", ], url: "http://osvdb.org/61359", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://blog.mybboard.net/2009/12/29/mybb-1-4-11-released-minor-patch-security-update/", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://dev.mybboard.net/projects/mybb/repository/revisions/4663/diff/branches/1.4-stable/usercp.php", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2009-12-28T00:00:00", descriptions: [ { lang: "en", value: "Directory traversal vulnerability in MyBB (aka MyBulletinBoard) 1.4.10, and possibly earlier versions, when changing the user avatar from the gallery, allows remote authenticated users to determine the existence of files via directory traversal sequences in the avatar and possibly the gallery parameters, related to (1) admin/modules/user/users.php and (2) usercp.php.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2011-01-04T10:00:00", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { name: "37489", tags: [ "vdb-entry", "x_refsource_BID", ], url: "http://www.securityfocus.com/bid/37489", }, { name: "[oss-security] 20101008 CVE request: mybb before 1.4.11 and before 1.4.12", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "http://openwall.com/lists/oss-security/2010/10/08/7", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://dev.mybboard.net/projects/mybb/repository/revisions/4663/diff/branches/1.4-stable/admin/modules/user/users.php", }, { name: "37906", tags: [ "third-party-advisory", "x_refsource_SECUNIA", ], url: "http://secunia.com/advisories/37906", }, { name: "[oss-security] 20101011 Re: CVE request: mybb before 1.4.11 and before 1.4.12", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "http://openwall.com/lists/oss-security/2010/10/11/8", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://dev.mybboard.net/issues/617", }, { name: "ADV-2009-3651", tags: [ "vdb-entry", "x_refsource_VUPEN", ], url: "http://www.vupen.com/english/advisories/2009/3651", }, { name: "[oss-security] 20101206 Re: CVE request: mybb before 1.4.11 and before 1.4.12", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "http://openwall.com/lists/oss-security/2010/12/06/2", }, { name: "61359", tags: [ "vdb-entry", "x_refsource_OSVDB", ], url: "http://osvdb.org/61359", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://blog.mybboard.net/2009/12/29/mybb-1-4-11-released-minor-patch-security-update/", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://dev.mybboard.net/projects/mybb/repository/revisions/4663/diff/branches/1.4-stable/usercp.php", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2009-4449", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Directory traversal vulnerability in MyBB (aka MyBulletinBoard) 1.4.10, and possibly earlier versions, when changing the user avatar from the gallery, allows remote authenticated users to determine the existence of files via directory traversal sequences in the avatar and possibly the gallery parameters, related to (1) admin/modules/user/users.php and (2) usercp.php.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "37489", refsource: "BID", url: "http://www.securityfocus.com/bid/37489", }, { name: "[oss-security] 20101008 CVE request: mybb before 1.4.11 and before 1.4.12", refsource: "MLIST", url: "http://openwall.com/lists/oss-security/2010/10/08/7", }, { name: "http://dev.mybboard.net/projects/mybb/repository/revisions/4663/diff/branches/1.4-stable/admin/modules/user/users.php", refsource: "CONFIRM", url: "http://dev.mybboard.net/projects/mybb/repository/revisions/4663/diff/branches/1.4-stable/admin/modules/user/users.php", }, { name: "37906", refsource: "SECUNIA", url: "http://secunia.com/advisories/37906", }, { name: "[oss-security] 20101011 Re: CVE request: mybb before 1.4.11 and before 1.4.12", refsource: "MLIST", url: "http://openwall.com/lists/oss-security/2010/10/11/8", }, { name: "http://dev.mybboard.net/issues/617", refsource: "CONFIRM", url: "http://dev.mybboard.net/issues/617", }, { name: "ADV-2009-3651", refsource: "VUPEN", url: "http://www.vupen.com/english/advisories/2009/3651", }, { name: "[oss-security] 20101206 Re: CVE request: mybb before 1.4.11 and before 1.4.12", refsource: "MLIST", url: "http://openwall.com/lists/oss-security/2010/12/06/2", }, { name: "61359", refsource: "OSVDB", url: "http://osvdb.org/61359", }, { name: "http://blog.mybboard.net/2009/12/29/mybb-1-4-11-released-minor-patch-security-update/", refsource: "CONFIRM", url: "http://blog.mybboard.net/2009/12/29/mybb-1-4-11-released-minor-patch-security-update/", }, { name: "http://dev.mybboard.net/projects/mybb/repository/revisions/4663/diff/branches/1.4-stable/usercp.php", refsource: "CONFIRM", url: "http://dev.mybboard.net/projects/mybb/repository/revisions/4663/diff/branches/1.4-stable/usercp.php", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2009-4449", datePublished: "2009-12-29T20:15:00", dateReserved: "2009-12-29T00:00:00", dateUpdated: "2024-08-07T07:01:20.338Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
Vulnerability from fkie_nvd
Published
2009-12-29 20:41
Modified
2024-11-21 01:09
Severity ?
Summary
inc/functions_time.php in MyBB (aka MyBulletinBoard) 1.4.10, and possibly earlier versions, allows remote attackers to cause a denial of service (CPU consumption) via a crafted request with a large year value, which triggers a long loop, as reachable through member.php and possibly other vectors.
References
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:mybboard:mybb:1.4.10:*:*:*:*:*:*:*", matchCriteriaId: "24CD2FC7-005C-455E-9D71-719DD571741C", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "inc/functions_time.php in MyBB (aka MyBulletinBoard) 1.4.10, and possibly earlier versions, allows remote attackers to cause a denial of service (CPU consumption) via a crafted request with a large year value, which triggers a long loop, as reachable through member.php and possibly other vectors.", }, { lang: "es", value: "inc/functions_time.php en MyBB (alias MyBulletinBoard) v1.4.10, y posiblemente versiones anteriores, permite a atacantes remotos provocar una denegación de servicio (consumo de CPU) mediante una solicitud elaborada con un gran valor para el año, lo que dispara un bucle largo, como puede conseguirse a través de member.php y posiblemente otros vectores.", }, ], id: "CVE-2009-4448", lastModified: "2024-11-21T01:09:40.220", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 5, confidentialityImpact: "NONE", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:N/I:N/A:P", version: "2.0", }, exploitabilityScore: 10, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], }, published: "2009-12-29T20:41:20.453", references: [ { source: "cve@mitre.org", tags: [ "Patch", ], url: "http://blog.mybboard.net/2009/12/29/mybb-1-4-11-released-minor-patch-security-update/", }, { source: "cve@mitre.org", tags: [ "Patch", ], url: "http://dev.mybboard.net/issues/600", }, { source: "cve@mitre.org", url: "http://dev.mybboard.net/projects/mybb/repository/revisions/4613/diff/branches/1.4-stable/inc/functions_time.php", }, { source: "cve@mitre.org", url: "http://openwall.com/lists/oss-security/2010/10/08/7", }, { source: "cve@mitre.org", url: "http://openwall.com/lists/oss-security/2010/10/11/8", }, { source: "cve@mitre.org", url: "http://openwall.com/lists/oss-security/2010/12/06/2", }, { source: "cve@mitre.org", tags: [ "Vendor Advisory", ], url: "http://secunia.com/advisories/37906", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", ], url: "http://blog.mybboard.net/2009/12/29/mybb-1-4-11-released-minor-patch-security-update/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", ], url: "http://dev.mybboard.net/issues/600", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://dev.mybboard.net/projects/mybb/repository/revisions/4613/diff/branches/1.4-stable/inc/functions_time.php", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://openwall.com/lists/oss-security/2010/10/08/7", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://openwall.com/lists/oss-security/2010/10/11/8", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://openwall.com/lists/oss-security/2010/12/06/2", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "http://secunia.com/advisories/37906", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-399", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2009-02-20 00:30
Modified
2024-11-21 00:55
Severity ?
Summary
SQL injection vulnerability in pages.php in Custom Pages 1.0 plugin for MyBulletinBoard (MyBB) allows remote attackers to execute arbitrary SQL commands via the page parameter.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mybboard | mybb | * | |
| mybboard | custom_pages_plugin | 1.0 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:mybboard:mybb:*:*:*:*:*:*:*:*", matchCriteriaId: "DEE7EB4E-FDF4-4D6E-A52E-34661259704D", vulnerable: false, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:a:mybboard:custom_pages_plugin:1.0:*:*:*:*:*:*:*", matchCriteriaId: "C0BA6490-5524-4738-8102-235A6D0B8182", vulnerable: true, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, ], cveTags: [], descriptions: [ { lang: "en", value: "SQL injection vulnerability in pages.php in Custom Pages 1.0 plugin for MyBulletinBoard (MyBB) allows remote attackers to execute arbitrary SQL commands via the page parameter.", }, { lang: "es", value: "Vulnerabilidad de inyección SQL en pages.php en el complemento Custom Pages v1.0 para MyBulletinBoard (MyBB), permite a atacantes remotos ejecutar comandos SQL de su elección a través del parámetro \"page\".", }, ], id: "CVE-2008-6198", lastModified: "2024-11-21T00:55:55.117", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "HIGH", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 7.5, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:N/C:P/I:P/A:P", version: "2.0", }, exploitabilityScore: 10, impactScore: 6.4, obtainAllPrivilege: false, obtainOtherPrivilege: true, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], }, published: "2009-02-20T00:30:00.313", references: [ { source: "cve@mitre.org", tags: [ "Exploit", ], url: "http://www.securityfocus.com/bid/28652", }, { source: "cve@mitre.org", url: "https://exchange.xforce.ibmcloud.com/vulnerabilities/41685", }, { source: "cve@mitre.org", url: "https://www.exploit-db.com/exploits/5379", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", ], url: "http://www.securityfocus.com/bid/28652", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://exchange.xforce.ibmcloud.com/vulnerabilities/41685", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://www.exploit-db.com/exploits/5379", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-89", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2009-12-29 20:41
Modified
2024-11-21 01:09
Severity ?
Summary
Directory traversal vulnerability in MyBB (aka MyBulletinBoard) 1.4.10, and possibly earlier versions, when changing the user avatar from the gallery, allows remote authenticated users to determine the existence of files via directory traversal sequences in the avatar and possibly the gallery parameters, related to (1) admin/modules/user/users.php and (2) usercp.php.
References
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:mybboard:mybb:1.4.10:*:*:*:*:*:*:*", matchCriteriaId: "24CD2FC7-005C-455E-9D71-719DD571741C", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Directory traversal vulnerability in MyBB (aka MyBulletinBoard) 1.4.10, and possibly earlier versions, when changing the user avatar from the gallery, allows remote authenticated users to determine the existence of files via directory traversal sequences in the avatar and possibly the gallery parameters, related to (1) admin/modules/user/users.php and (2) usercp.php.", }, { lang: "es", value: "Vulnerabilidad de salto de directorio en MyBB (MyBulletinBoard) v1.4.10, y posiblemente versiones anteriores. Cuando se cambia el avatar de usuario desde la galería, permite a usuarios remotos autenticados determinar la existencia de ficheros a través de secuencias de salto de directorio en el avatar y posiblemente los parámetros de la galería. Relacionado con (1) admin/modules/user/users.php y (2) usercp.php.", }, ], id: "CVE-2009-4449", lastModified: "2024-11-21T01:09:40.373", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "SINGLE", availabilityImpact: "NONE", baseScore: 6.3, confidentialityImpact: "COMPLETE", integrityImpact: "NONE", vectorString: "AV:N/AC:M/Au:S/C:C/I:N/A:N", version: "2.0", }, exploitabilityScore: 6.8, impactScore: 6.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2009-12-29T20:41:20.500", references: [ { source: "cve@mitre.org", tags: [ "Release Notes", ], url: "http://blog.mybboard.net/2009/12/29/mybb-1-4-11-released-minor-patch-security-update/", }, { source: "cve@mitre.org", tags: [ "Broken Link", ], url: "http://dev.mybboard.net/issues/617", }, { source: "cve@mitre.org", tags: [ "Broken Link", "Exploit", ], url: "http://dev.mybboard.net/projects/mybb/repository/revisions/4663/diff/branches/1.4-stable/admin/modules/user/users.php", }, { source: "cve@mitre.org", tags: [ "Broken Link", "Exploit", ], url: "http://dev.mybboard.net/projects/mybb/repository/revisions/4663/diff/branches/1.4-stable/usercp.php", }, { source: "cve@mitre.org", tags: [ "Mailing List", ], url: "http://openwall.com/lists/oss-security/2010/10/08/7", }, { source: "cve@mitre.org", tags: [ "Mailing List", ], url: "http://openwall.com/lists/oss-security/2010/10/11/8", }, { source: "cve@mitre.org", tags: [ "Mailing List", ], url: "http://openwall.com/lists/oss-security/2010/12/06/2", }, { source: "cve@mitre.org", tags: [ "Broken Link", ], url: "http://osvdb.org/61359", }, { source: "cve@mitre.org", tags: [ "Broken Link", "Vendor Advisory", ], url: "http://secunia.com/advisories/37906", }, { source: "cve@mitre.org", tags: [ "Broken Link", "Third Party Advisory", "VDB Entry", ], url: "http://www.securityfocus.com/bid/37489", }, { source: "cve@mitre.org", tags: [ "Permissions Required", "Vendor Advisory", ], url: "http://www.vupen.com/english/advisories/2009/3651", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Release Notes", ], url: "http://blog.mybboard.net/2009/12/29/mybb-1-4-11-released-minor-patch-security-update/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Broken Link", ], url: "http://dev.mybboard.net/issues/617", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Broken Link", "Exploit", ], url: "http://dev.mybboard.net/projects/mybb/repository/revisions/4663/diff/branches/1.4-stable/admin/modules/user/users.php", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Broken Link", "Exploit", ], url: "http://dev.mybboard.net/projects/mybb/repository/revisions/4663/diff/branches/1.4-stable/usercp.php", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", ], url: "http://openwall.com/lists/oss-security/2010/10/08/7", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", ], url: "http://openwall.com/lists/oss-security/2010/10/11/8", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", ], url: "http://openwall.com/lists/oss-security/2010/12/06/2", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Broken Link", ], url: "http://osvdb.org/61359", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Broken Link", "Vendor Advisory", ], url: "http://secunia.com/advisories/37906", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Broken Link", "Third Party Advisory", "VDB Entry", ], url: "http://www.securityfocus.com/bid/37489", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Permissions Required", "Vendor Advisory", ], url: "http://www.vupen.com/english/advisories/2009/3651", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-22", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2012-08-13 23:55
Modified
2024-11-21 01:22
Severity ?
Summary
Multiple SQL injection vulnerabilities in MyBB (aka MyBulletinBoard) before 1.6.1 allow remote attackers to execute arbitrary SQL commands via the keywords parameter in a (1) do_search action to search.php or (2) do_stuff action to private.php. NOTE: the vendor disputes this issue, saying "Although this doesn't lead to an SQL injection, it does provide a general MyBB SQL error.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| mybb | mybb | * | |
| mybb | mybb | 1.00 | |
| mybb | mybb | 1.0 | |
| mybb | mybb | 1.0 | |
| mybb | mybb | 1.0 | |
| mybb | mybb | 1.0 | |
| mybb | mybb | 1.0 | |
| mybb | mybb | 1.0 | |
| mybb | mybb | 1.0 | |
| mybb | mybb | 1.01 | |
| mybb | mybb | 1.1.0 | |
| mybb | mybb | 1.1.1 | |
| mybb | mybb | 1.1.2 | |
| mybb | mybb | 1.1.3 | |
| mybb | mybb | 1.1.4 | |
| mybb | mybb | 1.1.5 | |
| mybb | mybb | 1.1.6 | |
| mybb | mybb | 1.1.7 | |
| mybb | mybb | 1.1.8 | |
| mybb | mybb | 1.02 | |
| mybb | mybb | 1.2 | |
| mybb | mybb | 1.2.0 | |
| mybb | mybb | 1.2.1 | |
| mybb | mybb | 1.2.2 | |
| mybb | mybb | 1.2.3 | |
| mybb | mybb | 1.2.4 | |
| mybb | mybb | 1.2.5 | |
| mybb | mybb | 1.2.6 | |
| mybb | mybb | 1.2.7 | |
| mybb | mybb | 1.2.8 | |
| mybb | mybb | 1.2.9 | |
| mybb | mybb | 1.2.10 | |
| mybb | mybb | 1.2.11 | |
| mybb | mybb | 1.2.12 | |
| mybb | mybb | 1.2.13 | |
| mybb | mybb | 1.2.14 | |
| mybb | mybb | 1.03 | |
| mybb | mybb | 1.3 | |
| mybb | mybb | 1.04 | |
| mybb | mybb | 1.4.0 | |
| mybb | mybb | 1.4.1 | |
| mybb | mybb | 1.4.2 | |
| mybb | mybb | 1.4.3 | |
| mybb | mybb | 1.4.4 | |
| mybb | mybb | 1.4.5 | |
| mybb | mybb | 1.4.6 | |
| mybb | mybb | 1.4.7 | |
| mybb | mybb | 1.4.8 | |
| mybb | mybb | 1.4.9 | |
| mybb | mybb | 1.4.10 | |
| mybb | mybb | 1.4.11 | |
| mybb | mybb | 1.4.12 | |
| mybb | mybb | 1.4.13 | |
| mybb | mybb | 1.4.14 | |
| mybb | mybb | 1.4.15 | |
| mybb | mybb | 1.4.16 | |
| mybb | mybb | 1.5.1 | |
| mybb | mybb | 1.5.2 | |
| mybboard | mybb | 1.4.3 | |
| mybboard | mybb | 1.4.10 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:mybb:mybb:*:*:*:*:*:*:*:*", matchCriteriaId: "D53879AD-6CE7-4A7C-B5C3-EE6C3101D773", versionEndIncluding: "1.6.0", vulnerable: true, }, { criteria: "cpe:2.3:a:mybb:mybb:1.00:*:*:*:*:*:*:*", matchCriteriaId: "BD61D970-9363-4A75-A8DB-D0EBA2CF0D53", vulnerable: true, }, { criteria: "cpe:2.3:a:mybb:mybb:1.0:beta4:*:*:*:*:*:*", matchCriteriaId: "C14F8B95-1A33-4DA8-8DE4-35C7DC3590CF", vulnerable: true, }, { criteria: "cpe:2.3:a:mybb:mybb:1.0:pr1:*:*:*:*:*:*", matchCriteriaId: "CD7728CD-1FA0-4428-B3FC-883781A699CD", vulnerable: true, }, { criteria: "cpe:2.3:a:mybb:mybb:1.0:pr2:*:*:*:*:*:*", matchCriteriaId: "0883675F-9442-49E7-8471-C205B7EA201D", vulnerable: true, }, { criteria: "cpe:2.3:a:mybb:mybb:1.0:rc1:*:*:*:*:*:*", matchCriteriaId: "B85E419B-F9D3-4839-A15C-F22BF9DABFAC", vulnerable: true, }, { criteria: "cpe:2.3:a:mybb:mybb:1.0:rc2:*:*:*:*:*:*", matchCriteriaId: "EAB8B860-71DC-4F45-9E2A-74BD1C2ED893", vulnerable: true, }, { criteria: "cpe:2.3:a:mybb:mybb:1.0:rc3:*:*:*:*:*:*", matchCriteriaId: "C67749DF-F8AF-4C88-A120-0F48307C58E1", vulnerable: true, }, { criteria: "cpe:2.3:a:mybb:mybb:1.0:rc4:*:*:*:*:*:*", matchCriteriaId: "FD0820A0-5D85-446F-9B7E-F8DB258A1178", vulnerable: true, }, { criteria: "cpe:2.3:a:mybb:mybb:1.01:*:*:*:*:*:*:*", matchCriteriaId: "990E206E-5E2C-4A68-9FDF-CD47F7524054", vulnerable: true, }, { criteria: "cpe:2.3:a:mybb:mybb:1.1.0:*:*:*:*:*:*:*", matchCriteriaId: "CF143B59-5C78-4BF6-9368-5BCF427B4753", vulnerable: true, }, { criteria: "cpe:2.3:a:mybb:mybb:1.1.1:*:*:*:*:*:*:*", matchCriteriaId: "B16F6F07-F5A9-47BF-88ED-25F068B68CF6", vulnerable: true, }, { criteria: "cpe:2.3:a:mybb:mybb:1.1.2:*:*:*:*:*:*:*", matchCriteriaId: "A8A46A48-1361-4DD3-B97D-4C4FC776D68A", vulnerable: true, }, { criteria: "cpe:2.3:a:mybb:mybb:1.1.3:*:*:*:*:*:*:*", matchCriteriaId: "337D89AE-1B7A-4101-B1F7-DFEDF2369385", vulnerable: true, }, { criteria: "cpe:2.3:a:mybb:mybb:1.1.4:*:*:*:*:*:*:*", matchCriteriaId: "BE08AF25-EDB1-4DA1-B431-F0692858AAAA", vulnerable: true, }, { criteria: "cpe:2.3:a:mybb:mybb:1.1.5:*:*:*:*:*:*:*", matchCriteriaId: "BF24E7BA-3144-4DBA-9613-A44FBE0822F9", vulnerable: true, }, { criteria: "cpe:2.3:a:mybb:mybb:1.1.6:*:*:*:*:*:*:*", matchCriteriaId: "029430A5-85BD-4258-B58D-F3DCBC625E5B", vulnerable: true, }, { criteria: "cpe:2.3:a:mybb:mybb:1.1.7:*:*:*:*:*:*:*", matchCriteriaId: "4183DB7F-FAB3-4D90-AD87-31CA4150CFDD", vulnerable: true, }, { criteria: "cpe:2.3:a:mybb:mybb:1.1.8:*:*:*:*:*:*:*", matchCriteriaId: "3E2B90B8-DC02-4C79-BD69-DEF79945C418", vulnerable: true, }, { criteria: "cpe:2.3:a:mybb:mybb:1.02:*:*:*:*:*:*:*", matchCriteriaId: "C5C52215-D236-4D1A-9E30-14B9676FB68A", vulnerable: true, }, { criteria: "cpe:2.3:a:mybb:mybb:1.2:*:*:*:*:*:*:*", matchCriteriaId: "4E080342-93CD-4E74-AE60-5858738CE7F5", vulnerable: true, }, { criteria: "cpe:2.3:a:mybb:mybb:1.2.0:*:*:*:*:*:*:*", matchCriteriaId: "B48D2EDF-86C2-475C-9476-E5A2D586CA0E", vulnerable: true, }, { criteria: "cpe:2.3:a:mybb:mybb:1.2.1:*:*:*:*:*:*:*", matchCriteriaId: "B6725373-C229-4B57-BB1E-AF178E19DEB0", vulnerable: true, }, { criteria: "cpe:2.3:a:mybb:mybb:1.2.2:*:*:*:*:*:*:*", matchCriteriaId: "36E4C84A-21D5-4C9A-85F8-45C9657CE6F5", vulnerable: true, }, { criteria: "cpe:2.3:a:mybb:mybb:1.2.3:*:*:*:*:*:*:*", matchCriteriaId: "C7E55085-E3E3-4BB8-A680-19A28D7E88F4", vulnerable: true, }, { criteria: "cpe:2.3:a:mybb:mybb:1.2.4:*:*:*:*:*:*:*", matchCriteriaId: "AB01A9AA-AE70-46DF-815A-05D1101EE706", vulnerable: true, }, { criteria: "cpe:2.3:a:mybb:mybb:1.2.5:*:*:*:*:*:*:*", matchCriteriaId: "98AFD77B-A046-4AB9-B6F4-FFFF66C63C68", vulnerable: true, }, { criteria: "cpe:2.3:a:mybb:mybb:1.2.6:*:*:*:*:*:*:*", matchCriteriaId: "AA00D38E-AAF6-4F66-9203-5C074FC61F30", vulnerable: true, }, { criteria: "cpe:2.3:a:mybb:mybb:1.2.7:*:*:*:*:*:*:*", matchCriteriaId: "137A8CED-BE82-462F-B83C-15F535961E74", vulnerable: true, }, { criteria: "cpe:2.3:a:mybb:mybb:1.2.8:*:*:*:*:*:*:*", matchCriteriaId: "D179FDB6-9B1D-438C-B512-9A5C4F869A4C", vulnerable: true, }, { criteria: "cpe:2.3:a:mybb:mybb:1.2.9:*:*:*:*:*:*:*", matchCriteriaId: "B3E72A13-6B4A-4C7F-B8D9-A2D35E074B67", vulnerable: true, }, { criteria: "cpe:2.3:a:mybb:mybb:1.2.10:*:*:*:*:*:*:*", matchCriteriaId: "3A2D344F-4671-4194-A553-A5773B5DF3B1", vulnerable: true, }, { criteria: "cpe:2.3:a:mybb:mybb:1.2.11:*:*:*:*:*:*:*", matchCriteriaId: "245760C8-DC10-47F1-843A-461AE2F3DF61", vulnerable: true, }, { criteria: "cpe:2.3:a:mybb:mybb:1.2.12:*:*:*:*:*:*:*", matchCriteriaId: "A055E6BF-3CAC-4C74-8E37-A89E3E0F8559", vulnerable: true, }, { criteria: "cpe:2.3:a:mybb:mybb:1.2.13:*:*:*:*:*:*:*", matchCriteriaId: "1121A071-3709-4B2B-ADF4-EDC560F73E0A", vulnerable: true, }, { criteria: "cpe:2.3:a:mybb:mybb:1.2.14:*:*:*:*:*:*:*", matchCriteriaId: "71FD2842-7E00-440F-8A93-9D3F45A004DB", vulnerable: true, }, { criteria: "cpe:2.3:a:mybb:mybb:1.03:*:*:*:*:*:*:*", matchCriteriaId: "F6ABDEE8-D463-47CA-998D-33472F3382F3", vulnerable: true, }, { criteria: "cpe:2.3:a:mybb:mybb:1.3:pre-1.0:*:*:*:*:*:*", matchCriteriaId: "16C45BFE-A083-4DC8-A2E5-9BCE543F5AE4", vulnerable: true, }, { criteria: "cpe:2.3:a:mybb:mybb:1.04:*:*:*:*:*:*:*", matchCriteriaId: "DE44965F-F968-4CD2-9F21-1E1A92F5F7F2", vulnerable: true, }, { criteria: "cpe:2.3:a:mybb:mybb:1.4.0:*:*:*:*:*:*:*", matchCriteriaId: "3FC8864E-161F-408E-93D6-693A9238C494", vulnerable: true, }, { criteria: "cpe:2.3:a:mybb:mybb:1.4.1:*:*:*:*:*:*:*", matchCriteriaId: "4C5965DE-D9B6-4074-B14B-ABCAAAAB872B", vulnerable: true, }, { criteria: "cpe:2.3:a:mybb:mybb:1.4.2:*:*:*:*:*:*:*", matchCriteriaId: "9503D6C2-DCBC-4720-BE29-34913950407E", vulnerable: true, }, { criteria: "cpe:2.3:a:mybb:mybb:1.4.3:*:*:*:*:*:*:*", matchCriteriaId: "0F6FC2B1-45DF-439E-8BAE-A15A08E7D9F7", vulnerable: true, }, { criteria: "cpe:2.3:a:mybb:mybb:1.4.4:*:*:*:*:*:*:*", matchCriteriaId: "853E94FE-A56F-44B0-87FE-DE5927B7A547", vulnerable: true, }, { criteria: "cpe:2.3:a:mybb:mybb:1.4.5:*:*:*:*:*:*:*", matchCriteriaId: "49C7F758-9E38-4870-85C3-11E350F96641", vulnerable: true, }, { criteria: "cpe:2.3:a:mybb:mybb:1.4.6:*:*:*:*:*:*:*", matchCriteriaId: "B46B7E13-51F8-4950-BBB4-A03B8E5B4750", vulnerable: true, }, { criteria: "cpe:2.3:a:mybb:mybb:1.4.7:*:*:*:*:*:*:*", matchCriteriaId: "58C9C804-6901-412C-B178-183417BD5C04", vulnerable: true, }, { criteria: "cpe:2.3:a:mybb:mybb:1.4.8:*:*:*:*:*:*:*", matchCriteriaId: "A00F1254-67DE-436D-AB83-1C55639BDBD2", vulnerable: true, }, { criteria: "cpe:2.3:a:mybb:mybb:1.4.9:*:*:*:*:*:*:*", matchCriteriaId: "AC2FDC2B-2CB4-433F-9290-3A6BE0A929B5", vulnerable: true, }, { criteria: "cpe:2.3:a:mybb:mybb:1.4.10:*:*:*:*:*:*:*", matchCriteriaId: "1FF9452B-CF4B-45F0-8487-23D9CCBB1A4A", vulnerable: true, }, { criteria: "cpe:2.3:a:mybb:mybb:1.4.11:*:*:*:*:*:*:*", matchCriteriaId: "2021275B-D61A-4309-8876-5354E115CB29", vulnerable: true, }, { criteria: "cpe:2.3:a:mybb:mybb:1.4.12:*:*:*:*:*:*:*", matchCriteriaId: "7925DEA1-8062-45C9-94E7-19D8FACEAFCD", vulnerable: true, }, { criteria: "cpe:2.3:a:mybb:mybb:1.4.13:*:*:*:*:*:*:*", matchCriteriaId: "D35E537F-0F49-40AB-9E97-7898D91353D1", vulnerable: true, }, { criteria: "cpe:2.3:a:mybb:mybb:1.4.14:*:*:*:*:*:*:*", matchCriteriaId: "BCDC1181-A2B7-4D1B-B2BF-DAC9E58E88C3", vulnerable: true, }, { criteria: "cpe:2.3:a:mybb:mybb:1.4.15:*:*:*:*:*:*:*", matchCriteriaId: "57C37D10-B945-4674-A846-BCEC573FF93C", vulnerable: true, }, { criteria: "cpe:2.3:a:mybb:mybb:1.4.16:*:*:*:*:*:*:*", matchCriteriaId: "4FD245B9-1381-4A1B-AF47-F28349FA6F52", vulnerable: true, }, { criteria: "cpe:2.3:a:mybb:mybb:1.5.1:*:*:*:*:*:*:*", matchCriteriaId: "2AFD7848-56E4-4608-82E7-CFF46A8809AC", vulnerable: true, }, { criteria: "cpe:2.3:a:mybb:mybb:1.5.2:*:*:*:*:*:*:*", matchCriteriaId: "CC489F94-3545-4E1A-AE9E-B88EB1A7D516", vulnerable: true, }, { criteria: "cpe:2.3:a:mybboard:mybb:1.4.3:*:*:*:*:*:*:*", matchCriteriaId: "D51785C1-C278-4302-A747-64246BE6F920", vulnerable: true, }, { criteria: "cpe:2.3:a:mybboard:mybb:1.4.10:*:*:*:*:*:*:*", matchCriteriaId: "24CD2FC7-005C-455E-9D71-719DD571741C", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [ { sourceIdentifier: "secalert@redhat.com", tags: [ "disputed", ], }, ], descriptions: [ { lang: "en", value: "Multiple SQL injection vulnerabilities in MyBB (aka MyBulletinBoard) before 1.6.1 allow remote attackers to execute arbitrary SQL commands via the keywords parameter in a (1) do_search action to search.php or (2) do_stuff action to private.php. NOTE: the vendor disputes this issue, saying \"Although this doesn't lead to an SQL injection, it does provide a general MyBB SQL error.", }, { lang: "es", value: "** EN DISPUTA ** Múltiples vulnerabilidades de inyección SQL en MyBB (también conocido como MyBulletinBoard) antes de v1.6.1 permite a atacantes remotos ejecutar comandos SQL a través del parámetro 'keywords' de una acción (1) do_search a search.php o (2) una acción do_stuff a private.php. NOTA: El vendedor rechaza este problema diciendo que \"...aunque esto no conduce a una inyección de SQL, sí que provoca un error de genérico de MyBB de SQL Server\".\r\n", }, ], id: "CVE-2010-5096", lastModified: "2024-11-21T01:22:29.960", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "HIGH", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 7.5, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:N/C:P/I:P/A:P", version: "2.0", }, exploitabilityScore: 10, impactScore: 6.4, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], }, published: "2012-08-13T23:55:00.850", references: [ { source: "secalert@redhat.com", url: "http://dev.mybb.com/issues/1330", }, { source: "secalert@redhat.com", url: "http://www.openwall.com/lists/oss-security/2012/03/23/4", }, { source: "secalert@redhat.com", url: "http://www.openwall.com/lists/oss-security/2012/03/25/1", }, { source: "secalert@redhat.com", url: "http://www.openwall.com/lists/oss-security/2012/05/08/3", }, { source: "secalert@redhat.com", url: "http://www.openwall.com/lists/oss-security/2012/05/08/7", }, { source: "secalert@redhat.com", url: "http://www.osvdb.org/70013", }, { source: "secalert@redhat.com", url: "http://www.osvdb.org/70014", }, { source: "secalert@redhat.com", url: "http://www.securityfocus.com/bid/45565", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://dev.mybb.com/issues/1330", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.openwall.com/lists/oss-security/2012/03/23/4", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.openwall.com/lists/oss-security/2012/03/25/1", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.openwall.com/lists/oss-security/2012/05/08/3", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.openwall.com/lists/oss-security/2012/05/08/7", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.osvdb.org/70013", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.osvdb.org/70014", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.securityfocus.com/bid/45565", }, ], sourceIdentifier: "secalert@redhat.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-89", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2009-08-25 10:30
Modified
2024-11-21 00:58
Severity ?
Summary
MyBB (aka MyBulletinBoard) 1.4.3 includes the sensitive my_post_key parameter in URLs to moderation.php with the (1) mergeposts, (2) split, and (3) deleteposts actions, which allows remote attackers to steal the token and bypass the cross-site request forgery (CSRF) protection mechanism to hijack the authentication of moderators by reading the token from the HTTP Referer header.
References
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:mybboard:mybb:1.4.3:*:*:*:*:*:*:*", matchCriteriaId: "D51785C1-C278-4302-A747-64246BE6F920", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "MyBB (aka MyBulletinBoard) 1.4.3 includes the sensitive my_post_key parameter in URLs to moderation.php with the (1) mergeposts, (2) split, and (3) deleteposts actions, which allows remote attackers to steal the token and bypass the cross-site request forgery (CSRF) protection mechanism to hijack the authentication of moderators by reading the token from the HTTP Referer header.", }, { lang: "es", value: "MyBB (también conocido como MyBulletinBoard) v1.4.3 incluye el parámetro \"my_post_key\" en URLs en moderation.php con las acciones (1) \"mergeposts\", (2) \"split\", y (3) \"deleteposts\", lo que permitiría a atacantes remotos robar la credencial de autenticación y evitar la protección de falsificación de petición en sitios cruzados (CSRF) y secuestrar la autenticación de los moderadores mediante la lectura de la credencial de autenticación de la cabecera HTTP.", }, ], id: "CVE-2008-7082", lastModified: "2024-11-21T00:58:13.757", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 6.8, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:P/I:P/A:P", version: "2.0", }, exploitabilityScore: 8.6, impactScore: 6.4, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: true, }, ], }, published: "2009-08-25T10:30:00.733", references: [ { source: "cve@mitre.org", url: "http://osvdb.org/50275", }, { source: "cve@mitre.org", tags: [ "Vendor Advisory", ], url: "http://secunia.com/advisories/32880", }, { source: "cve@mitre.org", url: "http://www.securityfocus.com/archive/1/498630/100/0/threaded", }, { source: "cve@mitre.org", url: "http://www.securityfocus.com/bid/32467", }, { source: "cve@mitre.org", url: "https://exchange.xforce.ibmcloud.com/vulnerabilities/46885", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://osvdb.org/50275", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "http://secunia.com/advisories/32880", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.securityfocus.com/archive/1/498630/100/0/threaded", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.securityfocus.com/bid/32467", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://exchange.xforce.ibmcloud.com/vulnerabilities/46885", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-352", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2010-04-27 15:30
Modified
2024-11-21 01:10
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in myps.php in MyBB (aka MyBulletinBoard) 1.4.10 allows remote attackers to inject arbitrary web script or HTML via the username parameter in a donate action.
References
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:mybboard:mybb:1.4.10:*:*:*:*:*:*:*", matchCriteriaId: "24CD2FC7-005C-455E-9D71-719DD571741C", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Cross-site scripting (XSS) vulnerability in myps.php in MyBB (aka MyBulletinBoard) 1.4.10 allows remote attackers to inject arbitrary web script or HTML via the username parameter in a donate action.", }, { lang: "es", value: "Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en myps.php en MyBB (también conocido como MyBulletinBoard) 1.4.10 permite a atacantes remotos inyectar secuencias de comandos web o HTML de su elección a través del parámetro \"username\" en una acción \"donate\".", }, ], id: "CVE-2009-4813", lastModified: "2024-11-21T01:10:31.607", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:N/I:P/A:N", version: "2.0", }, exploitabilityScore: 8.6, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: true, }, ], }, published: "2010-04-27T15:30:00.640", references: [ { source: "cve@mitre.org", url: "http://osvdb.org/61298", }, { source: "cve@mitre.org", tags: [ "Vendor Advisory", ], url: "http://secunia.com/advisories/37910", }, { source: "cve@mitre.org", tags: [ "Exploit", ], url: "http://www.exploit-db.com/exploits/10622", }, { source: "cve@mitre.org", tags: [ "Exploit", ], url: "http://www.securityfocus.com/bid/37464", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://osvdb.org/61298", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "http://secunia.com/advisories/37910", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", ], url: "http://www.exploit-db.com/exploits/10622", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", ], url: "http://www.securityfocus.com/bid/37464", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-79", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }