Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Mybb
(Mybb)| Repositories | https://github.com/mybb/mybb |
| #Vulnerabilities | 122 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2012-08-13 | CVE-2010-5096 | Multiple SQL injection vulnerabilities in MyBB (aka MyBulletinBoard) before 1.6.1 allow remote attackers to execute arbitrary SQL commands via the keywords parameter in a (1) do_search action to search.php or (2) do_stuff action to private.php. NOTE: the vendor disputes this issue, saying "Although this doesn't lead to an SQL injection, it does provide a general MyBB SQL error. | Mybb, Mybb | N/A | ||
| 2023-11-06 | CVE-2023-46251 | MyBB is a free and open source forum software. Custom MyCode (BBCode) for the visual editor (_SCEditor_) doesn't escape input properly when rendering HTML, resulting in a DOM-based XSS vulnerability. This weakness can be exploited by pointing a victim to a page where the visual editor is active (e.g. as a post or Private Message) and operates on a maliciously crafted MyCode message. This may occur on pages where message content is pre-filled using a GET/POST parameter, or on reply pages... | Mybb | 6.1 | ||
| 2008-11-04 | CVE-2008-4929 | MyBB (aka MyBulletinBoard) 1.4.2 uses insufficient randomness to compose filenames of uploaded files used as attachments, which makes it easier for remote attackers to read these files by guessing filenames. | Mybb | 7.5 | ||
| 2023-11-06 | CVE-2023-45556 | Cross Site Scripting vulnerability in Mybb Mybb Forums v.1.8.33 allows a local attacker to execute arbitrary code via the theme Name parameter in the theme management component. | Mybb | 5.4 | ||
| 2022-10-06 | CVE-2022-39265 | MyBB is a free and open source forum software. The _Mail Settings_ ? Additional Parameters for PHP's mail() function mail_parameters setting value, in connection with the configured mail program's options and behavior, may allow access to sensitive information and Remote Code Execution (RCE). The vulnerable module requires Admin CP access with the `_Can manage settings?_` permission and may depend on configured file permissions. MyBB 1.8.31 resolves this issue with the commit `0cd318136a`.... | Mybb | 7.2 | ||
| 2023-08-29 | CVE-2023-41362 | MyBB before 1.8.36 allows Code Injection by users with certain high privileges. Templates in Admin CP intentionally use eval, and there was some validation of the input to eval, but type juggling interfered with this when using PCRE within PHP. | Mybb | 7.2 | ||
| 2023-09-01 | CVE-2020-22612 | Installer RCE on settings file write in MyBB before 1.8.22. | Mybb | 9.8 | ||
| 2023-05-22 | CVE-2023-28467 | In MyBB before 1.8.34, there is XSS in the User CP module via the user email field. | Mybb | 6.1 | ||
| 2023-01-03 | CVE-2022-45867 | MyBB before 1.8.33 allows Directory Traversal. The Admin CP Languages module allows remote authenticated users, with high privileges, to achieve local file inclusion and execution. | Mybb | 7.2 | ||
| 2022-11-22 | CVE-2022-43707 | MyBB 1.8.31 has a Cross-site scripting (XSS) vulnerability in the visual MyCode editor (SCEditor) allows remote attackers to inject HTML via user input or stored data | Mybb | 6.1 |