CVE-2014-9254 – MiniBB 3.1 - Blind SQL Injection
https://notcve.org/view.php?id=CVE-2014-9254
bb_func_unsub.php in MiniBB 3.1 before 20141127 uses an incorrect regular expression, which allows remote attackers to conduct SQl injection attacks via the code parameter in an unsubscribe action to index.php. bb_func_unsub.php en MiniBB 3.1 anterior a 20141127 utiliza una expresión regular incorrecta, lo que permite a atacantes remotos llevar a cabo ataques de inyección SQL a través del parámetro código en la acción cancelar la suscripción en index.php. miniBB version 3.1 suffers from a remote blind SQL injection vulnerability. • https://www.exploit-db.com/exploits/35579 http://secunia.com/advisories/61794 http://security.szurek.pl/minibb-31-blind-sql-injection.html http://www.minibb.com/forums/news-9/blind-sql-injection-fix-6430.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2013-5020 – WordPress Plugin miniBB - SQL Injection / Multiple Cross-Site Scripting Vulnerabilities
https://notcve.org/view.php?id=CVE-2013-5020
Multiple cross-site scripting (XSS) vulnerabilities in bb_admin.php in MiniBB before 3.0.1 allow remote attackers to inject arbitrary web script or HTML via the (1) forum_name, (2) forum_group, (3) forum_icon, or (4) forum_desc parameter. NOTE: the whatus vector is already covered by CVE-2008-2066. Múltiples vulnerabilidades XSS en bb_admin.php en MiniBB anterior 3.0.1, permite a atacantes remotos inyectar secuencias de comandos web o HTML a través de los parámetros (1) forum_name, (2) forum_group, (3) forum_icon, o (4) forum_desc. NOTA: el vector "whatus" está cubierto en el CVE-2008-2066. • https://www.exploit-db.com/exploits/38639 http://osvdb.org/95122 http://seclists.org/fulldisclosure/2013/Jul/102 http://www.minibb.com/download.php?file=minibb_update http://www.minibb.com/forums/news-9/minibb-3.0.1-released-stable-fixed-secured-dedicated-6059.html http://www.securityfocus.com/bid/61116 https://www.mavitunasecurity.com/xss-and-sql-injection-vulnerabilities-in-minibb • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2008-2029 – MiniBB 2.2 - Cross-Site Scripting / SQL Injection / Full Path Disclosure
https://notcve.org/view.php?id=CVE-2008-2029
Multiple SQL injection vulnerabilities in (1) setup_mysql.php and (2) setup_options.php in miniBB 2.2 and possibly earlier, when register_globals is enabled, allow remote attackers to execute arbitrary SQL commands via the xtr parameter in a userinfo action to index.php. Múltiples vulnerabilidades de inyección SQL en 1) setup_mysql.php y (2) setup_options.php de miniBB 2.2 y posiblemente anteriores, cuando está habilitado register_globals, permite a atacantes remotos ejecutar comandos SQL de su elección mediante el parámetro xtr en una acción userinfo a index.php. • https://www.exploit-db.com/exploits/5494 http://secunia.com/advisories/29997 http://www.minibb.net/forums/9_5110_0.html http://www.securityfocus.com/bid/28930 https://exchange.xforce.ibmcloud.com/vulnerabilities/42014 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2008-2028 – MiniBB 2.2 - Cross-Site Scripting / SQL Injection / Full Path Disclosure
https://notcve.org/view.php?id=CVE-2008-2028
miniBB 2.2, and possibly earlier, when register_globals is enabled, allows remote attackers to obtain the full path via a direct request to the glang parameter in a registernew action to index.php, which leaks the path in an error message. miniBB 2.2, y puede que versiones anteriores, cuando register_globals está habilitado permite a atacantes remotos obtener la ruta completa a través de una solicitud directa al parámetro glang en una acción registernew en index.php, esto hace que se filtre la ruta en un mensaje de error. • https://www.exploit-db.com/exploits/5494 http://secunia.com/advisories/29997 http://www.minibb.net/forums/9_5110_0.html https://exchange.xforce.ibmcloud.com/vulnerabilities/42012 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2008-2024 – MiniBB 2.2 - Cross-Site Scripting / SQL Injection / Full Path Disclosure
https://notcve.org/view.php?id=CVE-2008-2024
Cross-site scripting (XSS) vulnerability in index.php in miniBB 2.2, and possibly earlier, when register_globals is enabled, allows remote attackers to inject arbitrary web script or HTML via the glang[] parameter in a registernew action. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en index.php de miniBB 2.2 y posiblemente anteriores, cuando está habilitado register_globals, permite a atacantes remotos inyectar secuencias de comandos o HTML de su elección mediante el parámetro glang[] en una acción registernew. • https://www.exploit-db.com/exploits/5494 http://secunia.com/advisories/29997 http://www.minibb.net/forums/9_5110_0.html http://www.securityfocus.com/bid/28930 https://exchange.xforce.ibmcloud.com/vulnerabilities/42013 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •