Mybb
by MyBB
Source repositories
CVEs (180)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2008-0382 | 0.06 | — | 0.42 | Jan 22, 2008 | Multiple eval injection vulnerabilities in MyBB 1.2.10 and earlier allow remote attackers to execute arbitrary code via the sortby parameter to (1) forumdisplay.php or (2) a results action in search.php. | |||
| CVE-2022-24734 | 0.03 | — | 0.78 | Mar 9, 2022 | MyBB is a free and open source forum software. In affected versions the Admin CP's Settings management module does not validate setting types correctly on insertion and update, making it possible to add settings of supported type `php` with PHP code, executed on on _Change… | |||
| CVE-2021-27946 | 0.03 | — | 0.04 | Mar 15, 2021 | SQL Injection vulnerability in MyBB before 1.8.26 via poll vote count. (issue 1 of 3). | |||
| CVE-2021-27890 | 0.03 | — | 0.11 | Mar 15, 2021 | SQL Injection vulnerablity in MyBB before 1.8.26 via theme properties included in theme XML files. | |||
| CVE-2021-27889 | 0.03 | — | 0.05 | Mar 15, 2021 | Cross-site Scripting (XSS) vulnerability in MyBB before 1.8.26 via Nested Auto URL when parsing messages. | |||
| CVE-2014-9241 | 0.03 | — | 0.03 | Dec 3, 2014 | Multiple cross-site scripting (XSS) vulnerabilities in MyBB (aka MyBulletinBoard) 1.8.x before 1.8.2 allow remote attackers to inject arbitrary web script or HTML via the (1) type parameter to report.php, (2) signature parameter in a do_editsig action to usercp.php, or (3) title… | |||
| CVE-2014-9240 | 0.03 | — | 0.03 | Dec 3, 2014 | SQL injection vulnerability in member.php in MyBB (aka MyBulletinBoard) 1.8.x before 1.8.2 allows remote attackers to execute arbitrary SQL commands via the question_id parameter in a do_register action. | |||
| CVE-2012-5909 | 0.03 | — | 0.01 | Nov 17, 2012 | SQL injection vulnerability in admin/modules/user/users.php in MyBB (aka MyBulletinBoard) 1.6.6 allows remote attackers to execute arbitrary SQL commands via the conditions[usergroup][] parameter in a search action to admin/index.php. | |||
| CVE-2012-5908 | 0.03 | — | 0.02 | Nov 17, 2012 | Cross-site scripting (XSS) vulnerability in admin/modules/user/users.php in MyBB (aka MyBulletinBoard) 1.6.6 allows remote attackers to inject arbitrary web script or HTML via the conditions[usergroup][] parameter in a search action to admin/index.php. | |||
| CVE-2010-5096 | 0.03 | — | 0.06 | Aug 13, 2012 | Multiple SQL injection vulnerabilities in MyBB (aka MyBulletinBoard) before 1.6.1 allow remote attackers to execute arbitrary SQL commands via the keywords parameter in a (1) do_search action to search.php or (2) do_stuff action to private.php. NOTE: the vendor disputes this… | |||
| CVE-2009-4813 | 0.03 | — | 0.01 | Apr 27, 2010 | Cross-site scripting (XSS) vulnerability in myps.php in MyBB (aka MyBulletinBoard) 1.4.10 allows remote attackers to inject arbitrary web script or HTML via the username parameter in a donate action. | |||
| CVE-2009-2230 | 0.03 | — | 0.01 | Jun 26, 2009 | SQL injection vulnerability in inc/datahandlers/user.php in MyBB (aka MyBulletinBoard) before 1.4.7 allows remote authenticated users to execute arbitrary SQL commands via the birthdayprivacy parameter. | |||
| CVE-2008-0787 | 0.03 | — | 0.01 | Feb 15, 2008 | SQL injection vulnerability in inc/datahandlers/pm.php in MyBB before 1.2.12 allows remote authenticated users to execute arbitrary SQL commands via the options[disablesmilies] parameter to private.php. | |||
| CVE-2008-0383 | 0.03 | — | 0.01 | Jan 22, 2008 | Multiple SQL injection vulnerabilities in MyBB 1.2.10 and earlier allow remote moderators and administrators to execute arbitrary SQL commands via (1) the mergepost parameter in a do_mergeposts action, (2) rid parameter in an allreports action, or (3) threads parameter in a… | |||
| CVE-2007-2212 | 0.03 | — | 0.01 | Apr 24, 2007 | Multiple SQL injection vulnerabilities in calendar.php in MyBB (aka MyBulletinBoard) 1.2.5 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) year or (2) month parameter. NOTE: the provenance of this information is unknown; the details are obtained… | |||
| CVE-2007-2211 | 0.03 | — | 0.01 | Apr 24, 2007 | SQL injection vulnerability in calendar.php in MyBB (aka MyBulletinBoard) 1.2.5 and earlier allows remote attackers to execute arbitrary SQL commands via the day parameter in a dayview action. | |||
| CVE-2007-1963 | 0.03 | — | 0.01 | Apr 11, 2007 | SQL injection vulnerability in the create_session function in class_session.php in MyBB (aka MyBulletinBoard) 1.2.3 and earlier allows remote attackers to execute arbitrary SQL commands via the Client-IP HTTP header, as utilized by index.php, a related issue to CVE-2006-3775. | |||
| CVE-2006-3775 | 0.03 | — | 0.02 | Jul 24, 2006 | SQL injection vulnerability in the init function in class_session.php in MyBB (aka MyBulletinBoard) 1.1.5 allows remote attackers to execute arbitrary SQL commands via the CLIENT-IP HTTP header ($_SERVER['HTTP_CLIENT_IP'] variable), as utilized by index.php. | |||
| CVE-2006-2336 | 0.03 | — | 0.01 | May 12, 2006 | SQL injection vulnerability in showthread.php in MyBB (aka MyBulletinBoard) 1.1.1 allows remote attackers to execute arbitrary SQL commands via the comma parameter. | |||
| CVE-2006-1974 | 0.03 | — | 0.01 | Apr 21, 2006 | SQL injection vulnerability in index.php in MyBB (MyBulletinBoard) before 1.04 allows remote attackers to execute arbitrary SQL commands via the referrer parameter. |
- CVE-2008-0382Jan 22, 2008risk 0.06cvss —epss 0.42
Multiple eval injection vulnerabilities in MyBB 1.2.10 and earlier allow remote attackers to execute arbitrary code via the sortby parameter to (1) forumdisplay.php or (2) a results action in search.php.
- CVE-2022-24734Mar 9, 2022risk 0.03cvss —epss 0.78
MyBB is a free and open source forum software. In affected versions the Admin CP's Settings management module does not validate setting types correctly on insertion and update, making it possible to add settings of supported type `php` with PHP code, executed on on _Change…
- CVE-2021-27946Mar 15, 2021risk 0.03cvss —epss 0.04
SQL Injection vulnerability in MyBB before 1.8.26 via poll vote count. (issue 1 of 3).
- CVE-2021-27890Mar 15, 2021risk 0.03cvss —epss 0.11
SQL Injection vulnerablity in MyBB before 1.8.26 via theme properties included in theme XML files.
- CVE-2021-27889Mar 15, 2021risk 0.03cvss —epss 0.05
Cross-site Scripting (XSS) vulnerability in MyBB before 1.8.26 via Nested Auto URL when parsing messages.
- CVE-2014-9241Dec 3, 2014risk 0.03cvss —epss 0.03
Multiple cross-site scripting (XSS) vulnerabilities in MyBB (aka MyBulletinBoard) 1.8.x before 1.8.2 allow remote attackers to inject arbitrary web script or HTML via the (1) type parameter to report.php, (2) signature parameter in a do_editsig action to usercp.php, or (3) title…
- CVE-2014-9240Dec 3, 2014risk 0.03cvss —epss 0.03
SQL injection vulnerability in member.php in MyBB (aka MyBulletinBoard) 1.8.x before 1.8.2 allows remote attackers to execute arbitrary SQL commands via the question_id parameter in a do_register action.
- CVE-2012-5909Nov 17, 2012risk 0.03cvss —epss 0.01
SQL injection vulnerability in admin/modules/user/users.php in MyBB (aka MyBulletinBoard) 1.6.6 allows remote attackers to execute arbitrary SQL commands via the conditions[usergroup][] parameter in a search action to admin/index.php.
- CVE-2012-5908Nov 17, 2012risk 0.03cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in admin/modules/user/users.php in MyBB (aka MyBulletinBoard) 1.6.6 allows remote attackers to inject arbitrary web script or HTML via the conditions[usergroup][] parameter in a search action to admin/index.php.
- CVE-2010-5096Aug 13, 2012risk 0.03cvss —epss 0.06
Multiple SQL injection vulnerabilities in MyBB (aka MyBulletinBoard) before 1.6.1 allow remote attackers to execute arbitrary SQL commands via the keywords parameter in a (1) do_search action to search.php or (2) do_stuff action to private.php. NOTE: the vendor disputes this…
- CVE-2009-4813Apr 27, 2010risk 0.03cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in myps.php in MyBB (aka MyBulletinBoard) 1.4.10 allows remote attackers to inject arbitrary web script or HTML via the username parameter in a donate action.
- CVE-2009-2230Jun 26, 2009risk 0.03cvss —epss 0.01
SQL injection vulnerability in inc/datahandlers/user.php in MyBB (aka MyBulletinBoard) before 1.4.7 allows remote authenticated users to execute arbitrary SQL commands via the birthdayprivacy parameter.
- CVE-2008-0787Feb 15, 2008risk 0.03cvss —epss 0.01
SQL injection vulnerability in inc/datahandlers/pm.php in MyBB before 1.2.12 allows remote authenticated users to execute arbitrary SQL commands via the options[disablesmilies] parameter to private.php.
- CVE-2008-0383Jan 22, 2008risk 0.03cvss —epss 0.01
Multiple SQL injection vulnerabilities in MyBB 1.2.10 and earlier allow remote moderators and administrators to execute arbitrary SQL commands via (1) the mergepost parameter in a do_mergeposts action, (2) rid parameter in an allreports action, or (3) threads parameter in a…
- CVE-2007-2212Apr 24, 2007risk 0.03cvss —epss 0.01
Multiple SQL injection vulnerabilities in calendar.php in MyBB (aka MyBulletinBoard) 1.2.5 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) year or (2) month parameter. NOTE: the provenance of this information is unknown; the details are obtained…
- CVE-2007-2211Apr 24, 2007risk 0.03cvss —epss 0.01
SQL injection vulnerability in calendar.php in MyBB (aka MyBulletinBoard) 1.2.5 and earlier allows remote attackers to execute arbitrary SQL commands via the day parameter in a dayview action.
- CVE-2007-1963Apr 11, 2007risk 0.03cvss —epss 0.01
SQL injection vulnerability in the create_session function in class_session.php in MyBB (aka MyBulletinBoard) 1.2.3 and earlier allows remote attackers to execute arbitrary SQL commands via the Client-IP HTTP header, as utilized by index.php, a related issue to CVE-2006-3775.
- CVE-2006-3775Jul 24, 2006risk 0.03cvss —epss 0.02
SQL injection vulnerability in the init function in class_session.php in MyBB (aka MyBulletinBoard) 1.1.5 allows remote attackers to execute arbitrary SQL commands via the CLIENT-IP HTTP header ($_SERVER['HTTP_CLIENT_IP'] variable), as utilized by index.php.
- CVE-2006-2336May 12, 2006risk 0.03cvss —epss 0.01
SQL injection vulnerability in showthread.php in MyBB (aka MyBulletinBoard) 1.1.1 allows remote attackers to execute arbitrary SQL commands via the comma parameter.
- CVE-2006-1974Apr 21, 2006risk 0.03cvss —epss 0.01
SQL injection vulnerability in index.php in MyBB (MyBulletinBoard) before 1.04 allows remote attackers to execute arbitrary SQL commands via the referrer parameter.
Page 3 of 9