Multiple unspecified vulnerabilities in MyBulletinBoard (MyBB) before 1.0.2 have unspecified impact and attack vectors, related to (1) admin/moderate.php, (2) admin/themes.php, (3) inc/functions.php, (4) inc/functions_upload.php, (5) printthread.php, and (6) usercp.php, and probably related to SQL injection. NOTE: it is likely that this issue subsumes CVE-2005-4602 and CVE-2005-4603. However, since the vendor advisory is vague and additional files are mentioned, is is likely that this contains at least one distinct vulnerability from CVE-2005-4602 and CVE-2005-4603.
Max CVSS
10.0
EPSS Score
0.14%
Published
2006-01-16
Updated
2013-01-03
Unspecified vulnerability in MyBB before 1.6.5 has unknown impact and attack vectors, related to an "unparsed user avatar in the buddy list."
Max CVSS
10.0
EPSS Score
0.19%
Published
2012-08-30
Updated
2012-09-13
Unspecified vulnerability in MyBB (aka MyBulletinBoard) before 1.8.4 has unknown attack vectors related to "Group join request notifications sent to wrong group leaders."
Max CVSS
10.0
EPSS Score
0.34%
Published
2015-03-29
Updated
2016-12-03
SQL injection vulnerability in the Group Promotions module in the admin control panel in MyBB (aka MyBulletinBoard) before 1.6.18 and 1.8.x before 1.8.6 and MyBB Merge System before 1.8.6 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
Max CVSS
10.0
EPSS Score
0.16%
Published
2017-01-31
Updated
2017-02-05
SQL injection vulnerability in the moderation tool in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 might allow remote attackers to execute arbitrary SQL commands via unspecified vectors.
Max CVSS
9.8
EPSS Score
0.20%
Published
2017-01-31
Updated
2017-02-05
newreply.php in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 allows remote attackers to have unspecified impact by leveraging a missing permission check.
Max CVSS
9.8
EPSS Score
0.48%
Published
2017-01-31
Updated
2017-02-05
MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 allow attackers to have unspecified impact via vectors related to low adminsid and sid entropy.
Max CVSS
9.8
EPSS Score
0.48%
Published
2017-01-31
Updated
2017-02-05
SQL injection vulnerability in the users data handler in MyBB (aka MyBulletinBoard) before 1.8.8 and MyBB Merge System before 1.8.8 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
Max CVSS
9.8
EPSS Score
0.20%
Published
2017-01-31
Updated
2017-02-05
MyBB (aka MyBulletinBoard) before 1.8.8 and MyBB Merge System before 1.8.8 allow remote attackers to have unspecified impact via vectors related to "loose comparison false positives."
Max CVSS
9.8
EPSS Score
0.61%
Published
2017-01-31
Updated
2017-02-05
The installer in MyBB before 1.8.13 allows remote attackers to execute arbitrary code by writing to the configuration file.
Max CVSS
9.8
EPSS Score
4.57%
Published
2017-11-10
Updated
2019-10-03
Installer RCE on settings file write in MyBB before 1.8.22.
Max CVSS
9.8
EPSS Score
0.09%
Published
2023-09-01
Updated
2023-09-07
In MyBB before version 1.8.24, the custom MyCode (BBCode) for the visual editor doesn't escape input properly when rendering HTML, resulting in a DOM-based XSS vulnerability. The weakness can be exploited by pointing a victim to a page where the visual editor is active (e.g. as a post or Private Message) and operates on a maliciously crafted MyCode message. This may occur on pages where message content is pre-filled using a GET/POST parameter, or on reply pages where a previously saved malicious message is quoted. After upgrading MyBB to 1.8.24, make sure to update the version attribute in the `codebuttons` template for non-default themes to serve the latest version of the patched `jscripts/bbcodes_sceditor.js` file.
Max CVSS
8.8
EPSS Score
0.08%
Published
2020-08-10
Updated
2020-08-13
SQL Injection vulnerablity in MyBB before 1.8.26 via theme properties included in theme XML files.
Max CVSS
8.8
EPSS Score
0.24%
Published
2021-03-15
Updated
2021-09-21
SQL Injection vulnerability in MyBB before 1.8.26 via poll vote count. (issue 1 of 3).
Max CVSS
8.8
EPSS Score
0.16%
Published
2021-03-15
Updated
2021-03-23
In MyBB before 1.8.21, an attacker can exploit a parsing flaw in the Private Message / Post renderer that leads to [video] BBCode persistent XSS to take over any forum account, aka a nested video MyCode issue.
Max CVSS
8.7
EPSS Score
0.07%
Published
2019-06-15
Updated
2019-06-20
xmlhttp.php in MyBB (aka MyBulletinBoard) before 1.6.18 and 1.8.x before 1.8.6 and MyBB Merge System before 1.8.6 allows remote attackers to bypass intended access restrictions via vectors related to the forum password.
Max CVSS
8.3
EPSS Score
0.25%
Published
2017-01-31
Updated
2017-02-05
MyBB before 1.8.11 allows remote attackers to bypass an SSRF protection mechanism.
Max CVSS
7.7
EPSS Score
0.36%
Published
2017-04-06
Updated
2017-04-13
Multiple SQL injection vulnerabilities in MyBulletinBoard (MyBB) before 1.0 allow remote attackers to execute arbitrary SQL commands via the (1) month, (2) day, and (3) year parameters in an addevent action in calendar.php; (4) threadmode and (5) showcodebuttons in an options action in usercp.php; (6) list parameter in an editlists action to usercp.php; (7) rating parameter in a rate action in member.php; and (8) rating parameter in either showthread.php or ratethread.php.
Max CVSS
7.5
EPSS Score
1.22%
Published
2005-12-13
Updated
2018-10-19
SQL injection vulnerability in the create_session function in class_session.php in MyBB (aka MyBulletinBoard) 1.2.3 and earlier allows remote attackers to execute arbitrary SQL commands via the Client-IP HTTP header, as utilized by index.php, a related issue to CVE-2006-3775.
Max CVSS
7.5
EPSS Score
9.93%
Published
2007-04-11
Updated
2018-10-16
Multiple SQL injection vulnerabilities in calendar.php in MyBB (aka MyBulletinBoard) 1.2.5 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) year or (2) month parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
Max CVSS
7.5
EPSS Score
0.14%
Published
2007-04-24
Updated
2017-07-29
Multiple SQL injection vulnerabilities in MyBB 1.2.10 and earlier allow remote moderators and administrators to execute arbitrary SQL commands via (1) the mergepost parameter in a do_mergeposts action, (2) rid parameter in an allreports action, or (3) threads parameter in a do_multimovethreads action to (a) moderation.php; or (4) gid parameter to (b) admin/usergroups.php.
Max CVSS
7.5
EPSS Score
0.30%
Published
2008-01-22
Updated
2018-10-15
Unspecified vulnerability in inc/datahandler/user.php in MyBB before 1.2.13 has unknown impact and attack vectors related to the $user['language'] variable, probably related to SQL injection.
Max CVSS
7.5
EPSS Score
0.14%
Published
2008-07-08
Updated
2012-11-27
Directory traversal vulnerability in inc/class_language.php in MyBB before 1.2.13 has unknown impact and attack vectors related to the $language variable.
Max CVSS
7.5
EPSS Score
0.23%
Published
2008-07-08
Updated
2012-11-27
SQL injection vulnerability in misc.php in MyBB (aka MyBulletinBoard) before 1.4.1 allows remote attackers to execute arbitrary SQL commands via a certain editor field.
Max CVSS
7.5
EPSS Score
0.96%
Published
2008-09-11
Updated
2008-11-15
moderation.php in MyBB (aka MyBulletinBoard) before 1.4.1 does not properly check for moderator privileges, which has unknown impact and remote attack vectors.
Max CVSS
7.5
EPSS Score
0.64%
Published
2008-09-11
Updated
2008-11-15
122 vulnerabilities found
1 2 3 4 5
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!