CVSS: 9.8EPSS: 7%CPEs: 60EXPL: 2CVE-2010-5096 – MyBB 1.6 - 'private.php?keywords' SQL Injection
https://notcve.org/view.php?id=CVE-2010-5096
13 Aug 2012 — Multiple SQL injection vulnerabilities in MyBB (aka MyBulletinBoard) before 1.6.1 allow remote attackers to execute arbitrary SQL commands via the keywords parameter in a (1) do_search action to search.php or (2) do_stuff action to private.php. NOTE: the vendor disputes this issue, saying "Although this doesn't lead to an SQL injection, it does provide a general MyBB SQL error. ** EN DISPUTA ** Múltiples vulnerabilidades de inyección SQL en MyBB (también conocido como MyBulletinBoard) antes de v1.6.1 permit... • https://www.exploit-db.com/exploits/35141 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 1%CPEs: 1EXPL: 3CVE-2009-4813 – MyBB 1.4.10 - 'myps.php' Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2009-4813
27 Apr 2010 — Cross-site scripting (XSS) vulnerability in myps.php in MyBB (aka MyBulletinBoard) 1.4.10 allows remote attackers to inject arbitrary web script or HTML via the username parameter in a donate action. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en myps.php en MyBB (también conocido como MyBulletinBoard) 1.4.10 permite a atacantes remotos inyectar secuencias de comandos web o HTML de su elección a través del parámetro "username" en una acción "donate". • https://www.exploit-db.com/exploits/33439 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 1%CPEs: 1EXPL: 0CVE-2009-4448
https://notcve.org/view.php?id=CVE-2009-4448
29 Dec 2009 — inc/functions_time.php in MyBB (aka MyBulletinBoard) 1.4.10, and possibly earlier versions, allows remote attackers to cause a denial of service (CPU consumption) via a crafted request with a large year value, which triggers a long loop, as reachable through member.php and possibly other vectors. inc/functions_time.php en MyBB (alias MyBulletinBoard) v1.4.10, y posiblemente versiones anteriores, permite a atacantes remotos provocar una denegación de servicio (consumo de CPU) mediante una solicitud elaborada... • http://blog.mybboard.net/2009/12/29/mybb-1-4-11-released-minor-patch-security-update • CWE-399: Resource Management Errors •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 2CVE-2009-4449
https://notcve.org/view.php?id=CVE-2009-4449
29 Dec 2009 — Directory traversal vulnerability in MyBB (aka MyBulletinBoard) 1.4.10, and possibly earlier versions, when changing the user avatar from the gallery, allows remote authenticated users to determine the existence of files via directory traversal sequences in the avatar and possibly the gallery parameters, related to (1) admin/modules/user/users.php and (2) usercp.php. Vulnerabilidad de salto de directorio en MyBB (MyBulletinBoard) v1.4.10, y posiblemente versiones anteriores. Cuando se cambia el avatar de us... • http://blog.mybboard.net/2009/12/29/mybb-1-4-11-released-minor-patch-security-update • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2008-7082
https://notcve.org/view.php?id=CVE-2008-7082
25 Aug 2009 — MyBB (aka MyBulletinBoard) 1.4.3 includes the sensitive my_post_key parameter in URLs to moderation.php with the (1) mergeposts, (2) split, and (3) deleteposts actions, which allows remote attackers to steal the token and bypass the cross-site request forgery (CSRF) protection mechanism to hijack the authentication of moderators by reading the token from the HTTP Referer header. MyBB (también conocido como MyBulletinBoard) v1.4.3 incluye el parámetro "my_post_key" en URLs en moderation.php con las acciones ... • http://osvdb.org/50275 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 2CVE-2008-6198 – MyBB Plugin Custom Pages 1.0 - SQL Injection
https://notcve.org/view.php?id=CVE-2008-6198
20 Feb 2009 — SQL injection vulnerability in pages.php in Custom Pages 1.0 plugin for MyBulletinBoard (MyBB) allows remote attackers to execute arbitrary SQL commands via the page parameter. Vulnerabilidad de inyección SQL en pages.php en el complemento Custom Pages v1.0 para MyBulletinBoard (MyBB), permite a atacantes remotos ejecutar comandos SQL de su elección a través del parámetro "page". • https://www.exploit-db.com/exploits/5379 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •