CVSS: 5.1EPSS: 0%CPEs: 1EXPL: 2CVE-2025-2583 – SimpleMachines SMF ManageNews.php cross site scripting
https://notcve.org/view.php?id=CVE-2025-2583
21 Mar 2025 — A vulnerability was found in SimpleMachines SMF 2.1.4. It has been classified as problematic. This affects an unknown part of the file ManageNews.php. The manipulation of the argument subject/message leads to cross site scripting. It is possible to initiate the attack remotely. • https://github.com/Fewword/Poc/blob/main/smf/smf-poc5.md • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.1EPSS: 0%CPEs: 1EXPL: 2CVE-2025-2582 – SimpleMachines SMF ManageAttachments.php cross site scripting
https://notcve.org/view.php?id=CVE-2025-2582
21 Mar 2025 — A vulnerability was found in SimpleMachines SMF 2.1.4 and classified as problematic. Affected by this issue is some unknown functionality of the file ManageAttachments.php. The manipulation of the argument Notice leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. • https://github.com/Fewword/Poc/blob/main/smf/smf-poc3.md • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 1CVE-2024-7438 – SimpleMachines SMF User Alert Read Status index.php resource injection
https://notcve.org/view.php?id=CVE-2024-7438
03 Aug 2024 — A vulnerability has been found in SimpleMachines SMF 2.1.4 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /index.php?action=profile;u=2;area=showalerts;do=read of the component User Alert Read Status Handler. The manipulation of the argument aid leads to improper control of resource identifiers. The attack can be launched remotely. • https://github.com/Fewword/Poc/blob/main/smf/smf-poc2.md • CWE-99: Improper Control of Resource Identifiers ('Resource Injection') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2024-7437 – SimpleMachines SMF Delete User index.php resource injection
https://notcve.org/view.php?id=CVE-2024-7437
03 Aug 2024 — A vulnerability, which was classified as critical, was found in SimpleMachines SMF 2.1.4. Affected is an unknown function of the file /index.php?action=profile;u=2;area=showalerts;do=remove of the component Delete User Handler. The manipulation of the argument aid leads to improper control of resource identifiers. It is possible to launch the attack remotely. • https://github.com/Fewword/Poc/blob/main/smf/smf-poc1.md • CWE-99: Improper Control of Resource Identifiers ('Resource Injection') •
CVSS: 8.8EPSS: 0%CPEs: 13EXPL: 0CVE-2011-4173
https://notcve.org/view.php?id=CVE-2011-4173
24 Oct 2011 — Cross-site request forgery (CSRF) vulnerability in Simple Machines Forum (SMF) 2.x before 2.0.1 allows remote attackers to hijack the authentication of administrators or moderators via vectors involving image files, a different vulnerability than CVE-2011-3615. NOTE: some of these details are obtained from third party information. Vulnerabilidad de falsificación de petición en sitios cruzados (CSRF)en Simple Machines Forum (SMF) v2.x anterior a v2.0.1 permite a atacantes remotos secuestrar la autenticación ... • http://openwall.com/lists/oss-security/2011/10/09/3 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.8EPSS: 0%CPEs: 62EXPL: 0CVE-2011-3615
https://notcve.org/view.php?id=CVE-2011-3615
24 Oct 2011 — Multiple SQL injection vulnerabilities in Simple Machines Forum (SMF) before 1.1.15 and 2.x before 2.0.1 allow remote attackers to execute arbitrary SQL commands via vectors involving a (1) HTML entity or (2) display name. NOTE: some of these details are obtained from third party information. Multiples vulnerabilidades de inyección SQL en Simple Machines Forum (SMF) anterios a v1.1.15 y v2.x anteriores a 2.0.1 que permiten a atacantes remotos ejecutar comandos SQL de su elección a traves de vectores que inc... • http://openwall.com/lists/oss-security/2011/10/09/3 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 10.0EPSS: 1%CPEs: 57EXPL: 0CVE-2011-1127
https://notcve.org/view.php?id=CVE-2011-1127
21 Jun 2011 — SSI.php in Simple Machines Forum (SMF) before 1.1.13, and 2.x before 2.0 RC5, does not properly restrict guest access, which allows remote attackers to have an unspecified impact via unknown vectors. SSI.php en Simple Machines Forum ( SMF ) antes de v1.1.13, y v2.x antes de v2.0 RC5, no restringe correctamente el acceso de invitados, lo que permite a atacantes remotos tener un impacto no especificado a través de vectores desconocidos. • http://custom.simplemachines.org/mods/downloads/smf_patch_2.0-RC4_security.zip • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 9.1EPSS: 0%CPEs: 57EXPL: 0CVE-2011-1128
https://notcve.org/view.php?id=CVE-2011-1128
21 Jun 2011 — The loadUserSettings function in Load.php in Simple Machines Forum (SMF) before 1.1.13, and 2.x before 2.0 RC5, does not properly handle invalid login attempts, which might make it easier for remote attackers to obtain access or cause a denial of service via a brute-force attack. La función loadUserSettings en ??load.php en Simple Machines Forum (SMF ) antes de v1.1.13, y v2.x antes de v2.0 RC5, no controla correctamente intentos fallidos de inicio de sesión, lo que podría facilitar a los atacantes remotos ... • http://custom.simplemachines.org/mods/downloads/smf_patch_2.0-RC4_security.zip • CWE-310: Cryptographic Issues •
CVSS: 5.4EPSS: 0%CPEs: 57EXPL: 0CVE-2011-1129
https://notcve.org/view.php?id=CVE-2011-1129
21 Jun 2011 — Cross-site scripting (XSS) vulnerability in the EditNews function in ManageNews.php in Simple Machines Forum (SMF) before 1.1.13, and 2.x before 2.0 RC5, might allow remote authenticated users to inject arbitrary web script or HTML via a save_items action. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en la función EditNews en ManageNews.php de Simple Machines Forum antes de v1.1.13 y v2.x antes de 2.0 RC5 , permite a atacantes remotos inyectar secuencias de comandos web o H... • http://custom.simplemachines.org/mods/downloads/smf_patch_2.0-RC4_security.zip • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.1EPSS: 0%CPEs: 57EXPL: 0CVE-2011-1130
https://notcve.org/view.php?id=CVE-2011-1130
21 Jun 2011 — Simple Machines Forum (SMF) before 1.1.13, and 2.x before 2.0 RC5, does not properly validate the start parameter, which might allow remote attackers to conduct SQL injection attacks, obtain sensitive information, or cause a denial of service via a crafted value, related to the cleanRequest function in QueryString.php and the constructPageIndex function in Subs.php. Simple Machines Forum (SMF ) antes de v1.1.13, y v2.x antes de v2.0 RC5, no valida correctamente los parámetros de inicio, lo que podría permit... • http://custom.simplemachines.org/mods/downloads/smf_patch_2.0-RC4_security.zip • CWE-20: Improper Input Validation •