VYPR

Mybulletinboard

by PhpBB

Source repositories

CVEs (74)

  • CVE-2018-1000502HigJun 26, 2018
    risk 0.47cvss 7.2epss 0.01

    MyBB Group MyBB contains a File Inclusion vulnerability in Admin panel (Tools and Maintenance -> Task Manager -> Add New Task) that can result in Allows Local File Inclusion on modern PHP versions and Remote File Inclusion on ancient PHP versions. This attack appear to be…

  • CVE-2018-17128MedSep 17, 2018
    risk 0.44cvss 5.4epss 0.75

    A Persistent XSS issue was discovered in the Visual Editor in MyBB before 1.8.19 via a Video MyCode.

  • CVE-2018-15596MedAug 28, 2018
    risk 0.43cvss 6.1epss 0.02

    An issue was discovered in inc/class_feedgeneration.php in MyBB 1.8.17. On the forum RSS Syndication page, one can generate a URL such as http://localhost/syndication.php?fid=&type=atom1.0&limit=15. The thread titles (within title elements of the generated XML documents) aren't…

  • CVE-2018-10678MedMay 13, 2018
    risk 0.40cvss 6.1epss 0.01

    MyBB 1.8.15, when accessed with Microsoft Edge, mishandles 'target="_blank" rel="noopener"' in A elements, which makes it easier for remote attackers to conduct redirection attacks.

  • CVE-2018-10365MedMay 1, 2018
    risk 0.38cvss 5.4epss 0.02

    An XSS issue was discovered in the Threads to Link plugin 1.3 for MyBB. When editing a thread, the user is given the option to convert the thread to a link. The thread link input box is not properly sanitized.

  • CVE-2018-6844MedFeb 8, 2018
    risk 0.35cvss 5.4epss 0.01

    MyBB 1.8.14 has XSS via the Title or Description field on the Edit Forum screen.

  • CVE-2018-7305MedFeb 21, 2018
    risk 0.32cvss 4.9epss 0.00

    MyBB 1.8.14 is not checking for a valid CSRF token, leading to arbitrary deletion of user accounts.

  • CVE-2018-1000503MedJun 26, 2018
    risk 0.28cvss 4.3epss 0.01

    MyBB Group MyBB contains a Incorrect Access Control vulnerability in Private forums that can result in Users can view posts from private forums without having the password. This attack appear to be exploitable via Subscribe to a forum through IDOR. This vulnerability appears to…

  • CVE-2008-0382Jan 22, 2008
    risk 0.06cvss epss 0.42

    Multiple eval injection vulnerabilities in MyBB 1.2.10 and earlier allow remote attackers to execute arbitrary code via the sortby parameter to (1) forumdisplay.php or (2) a results action in search.php.

  • CVE-2018-14575Mar 17, 2019
    risk 0.03cvss epss 0.02

    Trash Bin plugin 1.1.3 for MyBB has cross-site scripting (XSS) via a thread subject and a cross-site request forgery (CSRF) via a post subject.

  • CVE-2009-2230Jun 26, 2009
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in inc/datahandlers/user.php in MyBB (aka MyBulletinBoard) before 1.4.7 allows remote authenticated users to execute arbitrary SQL commands via the birthdayprivacy parameter.

  • CVE-2008-0787Feb 15, 2008
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in inc/datahandlers/pm.php in MyBB before 1.2.12 allows remote authenticated users to execute arbitrary SQL commands via the options[disablesmilies] parameter to private.php.

  • CVE-2007-2211Apr 24, 2007
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in calendar.php in MyBB (aka MyBulletinBoard) 1.2.5 and earlier allows remote attackers to execute arbitrary SQL commands via the day parameter in a dayview action.

  • CVE-2007-1963Apr 11, 2007
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in the create_session function in class_session.php in MyBB (aka MyBulletinBoard) 1.2.3 and earlier allows remote attackers to execute arbitrary SQL commands via the Client-IP HTTP header, as utilized by index.php, a related issue to CVE-2006-3775.

  • CVE-2006-4449Aug 30, 2006
    risk 0.03cvss epss 0.02

    Cross-site scripting (XSS) vulnerability in attachment.php in MyBulletinBoard (MyBB) 1.1.7 and possibly other versions allows remote attackers to inject arbitrary web script or HTML via a GIF image that contains URL-encoded Javascript, which is rendered by Internet Explorer.

  • CVE-2006-3775Jul 24, 2006
    risk 0.03cvss epss 0.02

    SQL injection vulnerability in the init function in class_session.php in MyBB (aka MyBulletinBoard) 1.1.5 allows remote attackers to execute arbitrary SQL commands via the CLIENT-IP HTTP header ($_SERVER['HTTP_CLIENT_IP'] variable), as utilized by index.php.

  • CVE-2006-2908Jun 13, 2006
    risk 0.03cvss epss 0.04

    The domecode function in inc/functions_post.php in MyBulletinBoard (MyBB) 1.1.2, and possibly other versions, allows remote attackers to execute arbitrary PHP code via the username field, which is used in a preg_replace function call with a /e (executable) modifier.

  • CVE-2006-2336May 12, 2006
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in showthread.php in MyBB (aka MyBulletinBoard) 1.1.1 allows remote attackers to execute arbitrary SQL commands via the comma parameter.

  • CVE-2006-1974Apr 21, 2006
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in index.php in MyBB (MyBulletinBoard) before 1.04 allows remote attackers to execute arbitrary SQL commands via the referrer parameter.

  • CVE-2006-1912Apr 20, 2006
    risk 0.03cvss epss 0.02

    MyBB (MyBulletinBoard) 1.1.0 does not set the constant KILL_GLOBAL variable in (1) global.php and (2) inc/init.php, which allows remote attackers to initialize arbitrary variables that are processed by an @extract command, which could then be leveraged to conduct cross-site…

Page 1 of 4