VYPR

Vendor CVEs

MyBB

All CVEs

216 total · sorted by risk
  • CVE-2011-5133Aug 30, 2012
    risk 0.00cvss epss 0.02

    Unspecified vulnerability in MyBB before 1.6.5 has unknown impact and attack vectors, related to an "unparsed user avatar in the buddy list."

  • CVE-2011-5132Aug 30, 2012
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in MyBB before 1.6.5 allows remote attackers to inject arbitrary web script or HTML via vectors related to "usernames via AJAX."

  • CVE-2011-5131Aug 30, 2012
    risk 0.00cvss epss 0.01

    Cross-site request forgery (CSRF) vulnerability in global.php in MyBB before 1.6.5 allows remote attackers to hijack the authentication of a user for requests that change the user's language via the language parameter.

  • CVE-2012-2327Aug 13, 2012
    risk 0.00cvss epss 0.01

    MyBB (aka MyBulletinBoard) before 1.6.7 allows remote attackers to obtain sensitive information via a malformed forumread cookie, which reveals the installation path in an error message.

  • CVE-2012-2326Aug 13, 2012
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in the Admin Control Panel (ACP) in MyBB (aka MyBulletinBoard) before 1.6.7 allows remote administrators to inject arbitrary web script or HTML via a malformed file name in an orphaned attachment.

  • CVE-2012-2325Aug 13, 2012
    risk 0.00cvss epss 0.01

    SQL injection vulnerability in the User Inline Moderation feature in the Admin Control Panel (ACP) in MyBB (aka MyBulletinBoard) before 1.6.7 allows remote administrators to execute arbitrary SQL commands via unspecified vectors.

  • CVE-2012-2324Aug 13, 2012
    risk 0.00cvss epss 0.01

    Multiple SQL injection vulnerabilities in MyBB (aka MyBulletinBoard) before 1.6.7 allow remote administrators to execute arbitrary SQL commands via unspecified vectors in the (1) user search or (2) Mail Log in the Admin Control Panel (ACP).

  • CVE-2011-3759Sep 23, 2011
    risk 0.00cvss epss 0.01

    MyBB (aka MyBulletinBoard) 1.6 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by inc/3rdparty/diff/Diff/ThreeWay.php and certain other files.

  • CVE-2010-4629Dec 30, 2010
    risk 0.00cvss epss 0.02

    MyBB (aka MyBulletinBoard) before 1.4.12 does not properly restrict uid values for group join requests, which allows remote attackers to cause a denial of service (resource consumption) by using guest access to submit join request forms for moderated groups, related to…

  • CVE-2010-4628Dec 30, 2010
    risk 0.00cvss epss 0.02

    member.php in MyBB (aka MyBulletinBoard) before 1.4.12 makes a certain superfluous call to the SQL COUNT function, which allows remote attackers to cause a denial of service (resource consumption) by making requests to member.php that trigger scans of the entire users table.

  • CVE-2010-4627Dec 30, 2010
    risk 0.00cvss epss 0.01

    Cross-site request forgery (CSRF) vulnerability in usercp2.php in MyBB (aka MyBulletinBoard) before 1.4.12 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.

  • CVE-2010-4626Dec 30, 2010
    risk 0.00cvss epss 0.02

    The my_rand function in functions.php in MyBB (aka MyBulletinBoard) before 1.4.12 does not properly use the PHP mt_rand function, which makes it easier for remote attackers to obtain access to an arbitrary account by requesting a reset of the account's password, and then…

  • CVE-2010-4625Dec 30, 2010
    risk 0.00cvss epss 0.02

    MyBB (aka MyBulletinBoard) before 1.4.12 does not properly handle a configuration with a visible forum that contains hidden threads, which allows remote attackers to obtain sensitive information by reading the Latest Threads block of the Portal Page.

  • CVE-2010-4624Dec 30, 2010
    risk 0.00cvss epss 0.02

    MyBB (aka MyBulletinBoard) before 1.4.12 allows remote authenticated users to bypass intended restrictions on the number of [img] MyCodes by editing a post after it has been created.

  • CVE-2010-4522Dec 30, 2010
    risk 0.00cvss epss 0.01

    Multiple cross-site scripting (XSS) vulnerabilities in MyBB (aka MyBulletinBoard) 1.4.14, and 1.6.x before 1.6.1, allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) editpost.php, (2) member.php, and (3) newreply.php.

  • CVE-2009-4448Dec 29, 2009
    risk 0.00cvss epss 0.02

    inc/functions_time.php in MyBB (aka MyBulletinBoard) 1.4.10, and possibly earlier versions, allows remote attackers to cause a denial of service (CPU consumption) via a crafted request with a large year value, which triggers a long loop, as reachable through member.php and…

  • CVE-2008-7082Aug 25, 2009
    risk 0.00cvss epss 0.01

    MyBB (aka MyBulletinBoard) 1.4.3 includes the sensitive my_post_key parameter in URLs to moderation.php with the (1) mergeposts, (2) split, and (3) deleteposts actions, which allows remote attackers to steal the token and bypass the cross-site request forgery (CSRF) protection…

  • CVE-2008-4930Nov 4, 2008
    risk 0.00cvss epss 0.01

    MyBB (aka MyBulletinBoard) 1.4.2 does not properly handle an uploaded file with a nonstandard file type that contains HTML sequences, which allows remote attackers to cause that file to be processed as HTML by Internet Explorer's content inspection, aka "Incomplete protection…

  • CVE-2008-4928Nov 4, 2008
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in the redirect function in functions.php in MyBB (aka MyBulletinBoard) 1.4.2 allows remote attackers to inject arbitrary web script or HTML via the url parameter in a removesubscriptions action to moderation.php, related to use of the…

  • CVE-2008-3967Sep 11, 2008
    risk 0.00cvss epss 0.01

    moderation.php in MyBB (aka MyBulletinBoard) before 1.4.1 does not properly check for moderator privileges, which has unknown impact and remote attack vectors.

  • CVE-2008-3966Sep 11, 2008
    risk 0.00cvss epss 0.01

    Multiple cross-site scripting (XSS) vulnerabilities in MyBB (aka MyBulletinBoard) before 1.4.1 allow remote attackers to inject arbitrary web script or HTML via (1) a certain referrer field in usercp2.php, (2) a certain location field in inc/functions_online.php, and certain (3)…

  • CVE-2008-3965Sep 11, 2008
    risk 0.00cvss epss 0.01

    SQL injection vulnerability in misc.php in MyBB (aka MyBulletinBoard) before 1.4.1 allows remote attackers to execute arbitrary SQL commands via a certain editor field.

  • CVE-2008-3334Jul 27, 2008
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in MyBB 1.2.x before 1.2.14 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, possibly involving search.php.

  • CVE-2008-3070Jul 8, 2008
    risk 0.00cvss epss 0.01

    Unspecified vulnerability in inc/datahandler/user.php in MyBB before 1.2.13 has unknown impact and attack vectors related to the $user['language'] variable, probably related to SQL injection.

  • CVE-2008-3069Jul 8, 2008
    risk 0.00cvss epss 0.01

    Multiple cross-site scripting (XSS) vulnerabilities in MyBB before 1.2.13 allow remote attackers to inject arbitrary web script or HTML via unspecified parameters to (1) portal.php and (2) inc/functions_post.php.

  • CVE-2008-3071Jul 8, 2008
    risk 0.00cvss epss 0.01

    Directory traversal vulnerability in inc/class_language.php in MyBB before 1.2.13 has unknown impact and attack vectors related to the $language variable.

  • CVE-2008-0788Feb 15, 2008
    risk 0.00cvss epss 0.01

    Multiple cross-site request forgery (CSRF) vulnerabilities in MyBB 1.2.11 and earlier allow remote attackers to (1) hijack the authentication of moderators or administrators for requests that delete threads via a do_multideletethreads action to moderation.php and (2) hijack the…

  • CVE-2007-0689May 14, 2007
    risk 0.00cvss epss 0.02

    MyBB 1.2.4 allows remote attackers to obtain sensitive information via the (1) action[] parameter to member.php, (2) imagehash[] parameter to captcha.php, and (3) a direct request to inc/datahandlers/event.php, which reveal the installation path in the resulting error message.

  • CVE-2007-1964Apr 11, 2007
    risk 0.00cvss epss 0.01

    member.php in MyBB (aka MyBulletinBoard), when debug mode is available, allows remote authenticated users to change the password of any account by providing the account's registered e-mail address in a debug request for a do_lostpw action, which prints the change password…

  • CVE-2007-0622Jan 31, 2007
    risk 0.00cvss epss 0.01

    Cross-site request forgery (CSRF) vulnerability in MyBB (aka MyBulletinBoard) 1.2.2 allows remote attackers to send messages to arbitrary users. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

  • CVE-2007-0544Jan 29, 2007
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in private.php in MyBB (aka MyBulletinBoard) allows remote authenticated users to inject arbitrary web script or HTML via the Subject field, a different vector than CVE-2006-2949.

  • CVE-2006-4972Sep 25, 2006
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in archive/index.php/forum-4.html in MyBB (aka MyBulletinBoard) allows remote attackers to inject arbitrary web script or HTML via the navbits[][name] parameter.

  • CVE-2006-4971Sep 25, 2006
    risk 0.00cvss epss 0.01

    MyBB (aka MyBulletinBoard) allows remote attackers to obtain sensitive information via a direct request for inc/plugins/hello.php, which reveals the path in an error message.

  • CVE-2006-4706Sep 12, 2006
    risk 0.00cvss epss 0.02

    Cross-site scripting (XSS) vulnerability in inc/functions_post.php in MyBB (aka MyBulletinBoard) 1.1.7 allows remote attackers to inject arbitrary web script or HTML via a url BBCode tag that contains a javascript URI with an SGML numeric character reference and an embedded…

  • CVE-2006-4707Sep 12, 2006
    risk 0.00cvss epss 0.02

    Cross-site scripting (XSS) vulnerability in admin/global.php (aka the Admin CP login form) in MyBB (aka MyBulletinBoard) 1.1.7 allows remote attackers to inject arbitrary web script or HTML via the query string ($_SERVER[PHP_SELF]).

  • CVE-2006-3953Aug 1, 2006
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in usercp.php in MyBB (aka MyBulletinBoard) 1.x allows remote attackers to inject arbitrary web script or HTML via the gallery parameter.

  • CVE-2006-3954Aug 1, 2006
    risk 0.00cvss epss 0.02

    Directory traversal vulnerability in usercp.php in MyBB (aka MyBulletinBoard) 1.x allows remote attackers to read arbitrary files via a .. (dot dot) in the gallery parameter in a (1) avatar or (2) do_avatar action.

  • CVE-2006-3758Jul 21, 2006
    risk 0.00cvss epss 0.01

    inc/init.php in Archive Mode (Light) in MyBB (aka MyBulletinBoard) 1.1.4 calls the extract function with EXTR_OVERWRITE on HTTP POST and GET variables, which allows remote attackers to overwrite arbitrary variables, as demonstrated via an SQL injection using the…

  • CVE-2006-3761Jul 21, 2006
    risk 0.00cvss epss 0.03

    Cross-site scripting (XSS) vulnerability in inc/functions_post.php in MyBB (aka MyBulletinBoard) 1.0 RC2 through 1.1.4 allows remote attackers to inject arbitrary web script or HTML via a javascript URI with an SGML numeric character reference in the url BBCode tag, as…

  • CVE-2006-3760Jul 21, 2006
    risk 0.00cvss epss 0.01

    Multiple SQL injection vulnerabilities in MyBB (aka MyBulletinBoard) 1.1.4 allow remote attackers to execute arbitrary SQL commands via unspecified vectors.

  • CVE-2006-3420Jul 7, 2006
    risk 0.00cvss epss 0.02

    Cross-site request forgery (CSRF) vulnerability in editpost.php in MyBulletinBoard (MyBB) before 1.1.5 allows remote attackers to perform unauthorized actions as a logged in user and delete arbitrary forum posts via a bbcode IMG tag with a modified delete parameter in a…

  • CVE-2006-3243Jun 27, 2006
    risk 0.00cvss epss 0.01

    SQL injection vulnerability in usercp.php in MyBB (MyBulletinBoard) 1.0 through 1.1.3 allows remote attackers to execute arbitrary SQL commands via the showcodebuttons parameter.

  • CVE-2006-2949Jun 12, 2006
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in private.php in MyBB 1.1.2 allows remote attackers to inject arbitrary web script or HTML via the do parameter.

  • CVE-2006-2589May 25, 2006
    risk 0.00cvss epss 0.01

    SQL injection vulnerability in rss.php in MyBB (aka MyBulletinBoard) 1.1.1 allows remote attackers to execute arbitrary SQL commands via the comma parameter. NOTE: it is not clear from the original report how this attack can succeed, since the demonstration URL uses a variable…

  • CVE-2006-2333May 12, 2006
    risk 0.00cvss epss 0.01

    Multiple SQL injection vulnerabilities in MyBB (aka MyBulletinBoard) 1.1.1 allow remote attackers to execute arbitrary SQL commands via the e-mail address when registering for a forum that requires e-mail verification, which is not properly handled in (1) usercp.php and (2)…

  • CVE-2006-2103Apr 29, 2006
    risk 0.00cvss epss 0.01

    SQL injection vulnerability in MyBB (MyBulletinBoard) 1.1.1 allows remote authenticated administrators to execute arbitrary SQL commands via the (1) query string ($querystring variable) in (a) admin/adminlogs.php, which is not properly handled by adminfunctions.php; or (2)…

  • CVE-2006-1911Apr 20, 2006
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in MyBB (MyBulletinBoard) 1.1 allows remote attackers to inject arbitrary web script or HTML via the attachment content disposition in an HTML attachment.

  • CVE-2006-1716Apr 11, 2006
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in inc/functions_post.php in MyBB (aka MyBulletinBoard) 1.10 allows remote attackers to inject arbitrary web script or HTML via a JavaScript event in a BBCode img tag. NOTE: the email vector is already covered by CVE-2006-1625, although…

  • CVE-2006-1717Apr 11, 2006
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in newthread.php in MyBB (aka MyBulletinBoard) 1.10, when configured to permit new threads by unregistered users, allows remote attackers to inject arbitrary web script or HTML via the username.

  • CVE-2006-1625Apr 5, 2006
    risk 0.00cvss epss 0.01

    Cross-site scripting (XSS) vulnerability in inc/functions_post.php in MyBB (aka MyBulletinBoard) 1.10 allows remote attackers to inject arbitrary web script or HTML via a JavaScript event in a BBCode email tag, as demonstrated using the onmousemove event.

Page 4 of 5