Vulnerabilities (CVE)

Filtered by vendor Mybboard Subscribe
Filtered by product Mybb
Total 6 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2010-5096 2 Mybb, Mybboard 2 Mybb, Mybb 2024-08-07 7.5 HIGH N/A
** DISPUTED ** Multiple SQL injection vulnerabilities in MyBB (aka MyBulletinBoard) before 1.6.1 allow remote attackers to execute arbitrary SQL commands via the keywords parameter in a (1) do_search action to search.php or (2) do_stuff action to private.php. NOTE: the vendor disputes this issue, saying "Although this doesn't lead to an SQL injection, it does provide a general MyBB SQL error."
CVE-2009-4448 1 Mybboard 1 Mybb 2024-02-04 5.0 MEDIUM N/A
inc/functions_time.php in MyBB (aka MyBulletinBoard) 1.4.10, and possibly earlier versions, allows remote attackers to cause a denial of service (CPU consumption) via a crafted request with a large year value, which triggers a long loop, as reachable through member.php and possibly other vectors.
CVE-2009-4813 1 Mybboard 1 Mybb 2024-02-04 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in myps.php in MyBB (aka MyBulletinBoard) 1.4.10 allows remote attackers to inject arbitrary web script or HTML via the username parameter in a donate action.
CVE-2009-4449 1 Mybboard 1 Mybb 2024-02-04 6.3 MEDIUM 6.5 MEDIUM
Directory traversal vulnerability in MyBB (aka MyBulletinBoard) 1.4.10, and possibly earlier versions, when changing the user avatar from the gallery, allows remote authenticated users to determine the existence of files via directory traversal sequences in the avatar and possibly the gallery parameters, related to (1) admin/modules/user/users.php and (2) usercp.php.
CVE-2008-7082 1 Mybboard 1 Mybb 2024-02-04 6.8 MEDIUM N/A
MyBB (aka MyBulletinBoard) 1.4.3 includes the sensitive my_post_key parameter in URLs to moderation.php with the (1) mergeposts, (2) split, and (3) deleteposts actions, which allows remote attackers to steal the token and bypass the cross-site request forgery (CSRF) protection mechanism to hijack the authentication of moderators by reading the token from the HTTP Referer header.
CVE-2008-6198 1 Mybboard 2 Custom Pages Plugin, Mybb 2024-02-04 7.5 HIGH N/A
SQL injection vulnerability in pages.php in Custom Pages 1.0 plugin for MyBulletinBoard (MyBB) allows remote attackers to execute arbitrary SQL commands via the page parameter.