CVE-2018-6506
https://notcve.org/view.php?id=CVE-2018-6506
Cross-Site Scripting (XSS) exists in the Add Forum feature in the Administrative Panel in miniBB 3.2.2 via crafted use of an onload attribute of an SVG element in the supertitle field. Existe Cross-Site Scripting (XSS) en la característica Add Forum en el panel administrativo en miniBB 3.2.2 mediante el uso manipulado de un atributo onload de un elemento SVG en el campo supertitle. • https://offensivehacking.wordpress.com/2018/02/07/minibb-forums-v3-2-2-stored-xss • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2014-9254 – MiniBB 3.1 - Blind SQL Injection
https://notcve.org/view.php?id=CVE-2014-9254
bb_func_unsub.php in MiniBB 3.1 before 20141127 uses an incorrect regular expression, which allows remote attackers to conduct SQl injection attacks via the code parameter in an unsubscribe action to index.php. bb_func_unsub.php en MiniBB 3.1 anterior a 20141127 utiliza una expresión regular incorrecta, lo que permite a atacantes remotos llevar a cabo ataques de inyección SQL a través del parámetro código en la acción cancelar la suscripción en index.php. miniBB version 3.1 suffers from a remote blind SQL injection vulnerability. • https://www.exploit-db.com/exploits/35579 http://secunia.com/advisories/61794 http://security.szurek.pl/minibb-31-blind-sql-injection.html http://www.minibb.com/forums/news-9/blind-sql-injection-fix-6430.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2013-5020 – WordPress Plugin miniBB - SQL Injection / Multiple Cross-Site Scripting Vulnerabilities
https://notcve.org/view.php?id=CVE-2013-5020
Multiple cross-site scripting (XSS) vulnerabilities in bb_admin.php in MiniBB before 3.0.1 allow remote attackers to inject arbitrary web script or HTML via the (1) forum_name, (2) forum_group, (3) forum_icon, or (4) forum_desc parameter. NOTE: the whatus vector is already covered by CVE-2008-2066. Múltiples vulnerabilidades XSS en bb_admin.php en MiniBB anterior 3.0.1, permite a atacantes remotos inyectar secuencias de comandos web o HTML a través de los parámetros (1) forum_name, (2) forum_group, (3) forum_icon, o (4) forum_desc. NOTA: el vector "whatus" está cubierto en el CVE-2008-2066. • https://www.exploit-db.com/exploits/38639 http://osvdb.org/95122 http://seclists.org/fulldisclosure/2013/Jul/102 http://www.minibb.com/download.php?file=minibb_update http://www.minibb.com/forums/news-9/minibb-3.0.1-released-stable-fixed-secured-dedicated-6059.html http://www.securityfocus.com/bid/61116 https://www.mavitunasecurity.com/xss-and-sql-injection-vulnerabilities-in-minibb • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2008-2066
https://notcve.org/view.php?id=CVE-2008-2066
Cross-site scripting (XSS) vulnerability in bb_admin.php in miniBB 2.2a allows remote attackers to inject arbitrary web script or HTML via the whatus parameter in a searchusers2 action. NOTE: it was later reported that other versions before 3.0.1 are also vulnerable. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados en bb_admin.php en miniBB, permite a atacantes remotos inyectar código web o HTML de su elección a través del parámetro "whatus" en una acción de "searchusers2". • http://osvdb.org/95122 http://seclists.org/fulldisclosure/2013/Jul/102 http://secunia.com/advisories/30004 http://securityreason.com/securityalert/3846 http://www.minibb.com/download.php?file=minibb_update http://www.minibb.com/forums/news-9/minibb-3.0.1-released-stable-fixed-secured-dedicated-6059.html http://www.securityfocus.com/archive/1/491375/100/0/threaded http://www.securityfocus.com/bid/28957 http://www.securityfocus.com/bid/61116 https://exchange.xforce.ibmcloud.com& • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2008-2067
https://notcve.org/view.php?id=CVE-2008-2067
SQL injection vulnerability in bb_admin.php in miniBB 2.2a allows remote attackers to execute arbitrary SQL commands via the whatus parameter in a searchusers2 action. NOTE: it was later reported that other versions before 3.0.1 are also vulnerable. Vulnerabilidad de inyección SQL en bb_admin.php en miniBB, permite a atacantes remotos ejecutar comandos SQL de su elección a través del parámetro "whatus" en una accción "searchusers2". • http://osvdb.org/95121 http://seclists.org/fulldisclosure/2013/Jul/102 http://secunia.com/advisories/30004 http://securityreason.com/securityalert/3846 http://www.minibb.com/download.php?file=minibb_update http://www.minibb.com/forums/news-9/minibb-3.0.1-released-stable-fixed-secured-dedicated-6059.html http://www.securityfocus.com/archive/1/491375/100/0/threaded http://www.securityfocus.com/bid/61116 https://exchange.xforce.ibmcloud.com/vulnerabilities/42270 https://www.mavitunas • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •