Mybulletinboard
by PhpBB
Source repositories
CVEs (74)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2018-1000502 | Hig | 0.47 | 7.2 | 0.01 | Jun 26, 2018 | MyBB Group MyBB contains a File Inclusion vulnerability in Admin panel (Tools and Maintenance -> Task Manager -> Add New Task) that can result in Allows Local File Inclusion on modern PHP versions and Remote File Inclusion on ancient PHP versions. This attack appear to be… | ||
| CVE-2018-17128 | Med | 0.44 | 5.4 | 0.75 | Sep 17, 2018 | A Persistent XSS issue was discovered in the Visual Editor in MyBB before 1.8.19 via a Video MyCode. | ||
| CVE-2018-15596 | Med | 0.43 | 6.1 | 0.02 | Aug 28, 2018 | An issue was discovered in inc/class_feedgeneration.php in MyBB 1.8.17. On the forum RSS Syndication page, one can generate a URL such as http://localhost/syndication.php?fid=&type=atom1.0&limit=15. The thread titles (within title elements of the generated XML documents) aren't… | ||
| CVE-2018-10678 | Med | 0.40 | 6.1 | 0.01 | May 13, 2018 | MyBB 1.8.15, when accessed with Microsoft Edge, mishandles 'target="_blank" rel="noopener"' in A elements, which makes it easier for remote attackers to conduct redirection attacks. | ||
| CVE-2018-10365 | Med | 0.38 | 5.4 | 0.02 | May 1, 2018 | An XSS issue was discovered in the Threads to Link plugin 1.3 for MyBB. When editing a thread, the user is given the option to convert the thread to a link. The thread link input box is not properly sanitized. | ||
| CVE-2018-6844 | Med | 0.35 | 5.4 | 0.01 | Feb 8, 2018 | MyBB 1.8.14 has XSS via the Title or Description field on the Edit Forum screen. | ||
| CVE-2018-7305 | Med | 0.32 | 4.9 | 0.00 | Feb 21, 2018 | MyBB 1.8.14 is not checking for a valid CSRF token, leading to arbitrary deletion of user accounts. | ||
| CVE-2018-1000503 | Med | 0.28 | 4.3 | 0.01 | Jun 26, 2018 | MyBB Group MyBB contains a Incorrect Access Control vulnerability in Private forums that can result in Users can view posts from private forums without having the password. This attack appear to be exploitable via Subscribe to a forum through IDOR. This vulnerability appears to… | ||
| CVE-2008-0382 | 0.06 | — | 0.42 | Jan 22, 2008 | Multiple eval injection vulnerabilities in MyBB 1.2.10 and earlier allow remote attackers to execute arbitrary code via the sortby parameter to (1) forumdisplay.php or (2) a results action in search.php. | |||
| CVE-2018-14575 | 0.03 | — | 0.02 | Mar 17, 2019 | Trash Bin plugin 1.1.3 for MyBB has cross-site scripting (XSS) via a thread subject and a cross-site request forgery (CSRF) via a post subject. | |||
| CVE-2009-2230 | 0.03 | — | 0.01 | Jun 26, 2009 | SQL injection vulnerability in inc/datahandlers/user.php in MyBB (aka MyBulletinBoard) before 1.4.7 allows remote authenticated users to execute arbitrary SQL commands via the birthdayprivacy parameter. | |||
| CVE-2008-0787 | 0.03 | — | 0.01 | Feb 15, 2008 | SQL injection vulnerability in inc/datahandlers/pm.php in MyBB before 1.2.12 allows remote authenticated users to execute arbitrary SQL commands via the options[disablesmilies] parameter to private.php. | |||
| CVE-2007-2211 | 0.03 | — | 0.01 | Apr 24, 2007 | SQL injection vulnerability in calendar.php in MyBB (aka MyBulletinBoard) 1.2.5 and earlier allows remote attackers to execute arbitrary SQL commands via the day parameter in a dayview action. | |||
| CVE-2007-1963 | 0.03 | — | 0.01 | Apr 11, 2007 | SQL injection vulnerability in the create_session function in class_session.php in MyBB (aka MyBulletinBoard) 1.2.3 and earlier allows remote attackers to execute arbitrary SQL commands via the Client-IP HTTP header, as utilized by index.php, a related issue to CVE-2006-3775. | |||
| CVE-2006-4449 | 0.03 | — | 0.02 | Aug 30, 2006 | Cross-site scripting (XSS) vulnerability in attachment.php in MyBulletinBoard (MyBB) 1.1.7 and possibly other versions allows remote attackers to inject arbitrary web script or HTML via a GIF image that contains URL-encoded Javascript, which is rendered by Internet Explorer. | |||
| CVE-2006-3775 | 0.03 | — | 0.02 | Jul 24, 2006 | SQL injection vulnerability in the init function in class_session.php in MyBB (aka MyBulletinBoard) 1.1.5 allows remote attackers to execute arbitrary SQL commands via the CLIENT-IP HTTP header ($_SERVER['HTTP_CLIENT_IP'] variable), as utilized by index.php. | |||
| CVE-2006-2908 | 0.03 | — | 0.04 | Jun 13, 2006 | The domecode function in inc/functions_post.php in MyBulletinBoard (MyBB) 1.1.2, and possibly other versions, allows remote attackers to execute arbitrary PHP code via the username field, which is used in a preg_replace function call with a /e (executable) modifier. | |||
| CVE-2006-2336 | 0.03 | — | 0.01 | May 12, 2006 | SQL injection vulnerability in showthread.php in MyBB (aka MyBulletinBoard) 1.1.1 allows remote attackers to execute arbitrary SQL commands via the comma parameter. | |||
| CVE-2006-1974 | 0.03 | — | 0.01 | Apr 21, 2006 | SQL injection vulnerability in index.php in MyBB (MyBulletinBoard) before 1.04 allows remote attackers to execute arbitrary SQL commands via the referrer parameter. | |||
| CVE-2006-1912 | 0.03 | — | 0.02 | Apr 20, 2006 | MyBB (MyBulletinBoard) 1.1.0 does not set the constant KILL_GLOBAL variable in (1) global.php and (2) inc/init.php, which allows remote attackers to initialize arbitrary variables that are processed by an @extract command, which could then be leveraged to conduct cross-site… |
- risk 0.47cvss 7.2epss 0.01
MyBB Group MyBB contains a File Inclusion vulnerability in Admin panel (Tools and Maintenance -> Task Manager -> Add New Task) that can result in Allows Local File Inclusion on modern PHP versions and Remote File Inclusion on ancient PHP versions. This attack appear to be…
- risk 0.44cvss 5.4epss 0.75
A Persistent XSS issue was discovered in the Visual Editor in MyBB before 1.8.19 via a Video MyCode.
- risk 0.43cvss 6.1epss 0.02
An issue was discovered in inc/class_feedgeneration.php in MyBB 1.8.17. On the forum RSS Syndication page, one can generate a URL such as http://localhost/syndication.php?fid=&type=atom1.0&limit=15. The thread titles (within title elements of the generated XML documents) aren't…
- risk 0.40cvss 6.1epss 0.01
MyBB 1.8.15, when accessed with Microsoft Edge, mishandles 'target="_blank" rel="noopener"' in A elements, which makes it easier for remote attackers to conduct redirection attacks.
- risk 0.38cvss 5.4epss 0.02
An XSS issue was discovered in the Threads to Link plugin 1.3 for MyBB. When editing a thread, the user is given the option to convert the thread to a link. The thread link input box is not properly sanitized.
- risk 0.35cvss 5.4epss 0.01
MyBB 1.8.14 has XSS via the Title or Description field on the Edit Forum screen.
- risk 0.32cvss 4.9epss 0.00
MyBB 1.8.14 is not checking for a valid CSRF token, leading to arbitrary deletion of user accounts.
- risk 0.28cvss 4.3epss 0.01
MyBB Group MyBB contains a Incorrect Access Control vulnerability in Private forums that can result in Users can view posts from private forums without having the password. This attack appear to be exploitable via Subscribe to a forum through IDOR. This vulnerability appears to…
- CVE-2008-0382Jan 22, 2008risk 0.06cvss —epss 0.42
Multiple eval injection vulnerabilities in MyBB 1.2.10 and earlier allow remote attackers to execute arbitrary code via the sortby parameter to (1) forumdisplay.php or (2) a results action in search.php.
- CVE-2018-14575Mar 17, 2019risk 0.03cvss —epss 0.02
Trash Bin plugin 1.1.3 for MyBB has cross-site scripting (XSS) via a thread subject and a cross-site request forgery (CSRF) via a post subject.
- CVE-2009-2230Jun 26, 2009risk 0.03cvss —epss 0.01
SQL injection vulnerability in inc/datahandlers/user.php in MyBB (aka MyBulletinBoard) before 1.4.7 allows remote authenticated users to execute arbitrary SQL commands via the birthdayprivacy parameter.
- CVE-2008-0787Feb 15, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in inc/datahandlers/pm.php in MyBB before 1.2.12 allows remote authenticated users to execute arbitrary SQL commands via the options[disablesmilies] parameter to private.php.
- CVE-2007-2211Apr 24, 2007risk 0.03cvss —epss 0.01
SQL injection vulnerability in calendar.php in MyBB (aka MyBulletinBoard) 1.2.5 and earlier allows remote attackers to execute arbitrary SQL commands via the day parameter in a dayview action.
- CVE-2007-1963Apr 11, 2007risk 0.03cvss —epss 0.01
SQL injection vulnerability in the create_session function in class_session.php in MyBB (aka MyBulletinBoard) 1.2.3 and earlier allows remote attackers to execute arbitrary SQL commands via the Client-IP HTTP header, as utilized by index.php, a related issue to CVE-2006-3775.
- CVE-2006-4449Aug 30, 2006risk 0.03cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in attachment.php in MyBulletinBoard (MyBB) 1.1.7 and possibly other versions allows remote attackers to inject arbitrary web script or HTML via a GIF image that contains URL-encoded Javascript, which is rendered by Internet Explorer.
- CVE-2006-3775Jul 24, 2006risk 0.03cvss —epss 0.02
SQL injection vulnerability in the init function in class_session.php in MyBB (aka MyBulletinBoard) 1.1.5 allows remote attackers to execute arbitrary SQL commands via the CLIENT-IP HTTP header ($_SERVER['HTTP_CLIENT_IP'] variable), as utilized by index.php.
- CVE-2006-2908Jun 13, 2006risk 0.03cvss —epss 0.04
The domecode function in inc/functions_post.php in MyBulletinBoard (MyBB) 1.1.2, and possibly other versions, allows remote attackers to execute arbitrary PHP code via the username field, which is used in a preg_replace function call with a /e (executable) modifier.
- CVE-2006-2336May 12, 2006risk 0.03cvss —epss 0.01
SQL injection vulnerability in showthread.php in MyBB (aka MyBulletinBoard) 1.1.1 allows remote attackers to execute arbitrary SQL commands via the comma parameter.
- CVE-2006-1974Apr 21, 2006risk 0.03cvss —epss 0.01
SQL injection vulnerability in index.php in MyBB (MyBulletinBoard) before 1.04 allows remote attackers to execute arbitrary SQL commands via the referrer parameter.
- CVE-2006-1912Apr 20, 2006risk 0.03cvss —epss 0.02
MyBB (MyBulletinBoard) 1.1.0 does not set the constant KILL_GLOBAL variable in (1) global.php and (2) inc/init.php, which allows remote attackers to initialize arbitrary variables that are processed by an @extract command, which could then be leveraged to conduct cross-site…
Page 1 of 4