CVSS: 7.2EPSS: 1%CPEs: 1EXPL: 3CVE-2022-26982 – SimpleMachinesForum v2.1.1 - Authenticated Remote Code Execution
https://notcve.org/view.php?id=CVE-2022-26982
05 Apr 2022 — SimpleMachinesForum 2.1.1 and earlier allows remote authenticated administrators to execute arbitrary code by inserting a vulnerable php code because the themes can be modified by an administrator. NOTE: the vendor's position is that administrators are intended to have the ability to modify themes, and can thus choose any PHP code that they wish to have executed on the server. SimpleMachinesForum versiones 2.1.1 y anteriores, permiten a administradores remotos autenticados ejecutar código arbitrario al inse... • https://packetstorm.news/files/id/171486 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2013-4395
https://notcve.org/view.php?id=CVE-2013-4395
12 Feb 2020 — Simple Machines Forum (SMF) through 2.0.5 has XSS Simple Machines Forum (SMF) versiones hasta 2.0.5, presenta una vulnerabilidad de tipo XSS. • http://www.openwall.com/lists/oss-security/2013/10/01/8 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.9EPSS: 7%CPEs: 1EXPL: 1CVE-2013-0192 – Simple Machines Forum (SMF) 1.1.10/2.0 RC2 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2013-0192
07 Feb 2020 — File Disclosure in SMF (SimpleMachines Forum) <= 2.0.3: Forum admin can read files such as the database config. Una Divulgación de Archivos en SMF (SimpleMachines Forum) versiones anteriores a 2.0.3 incluyéndola: el administrador del foro puede leer archivos tales como el database config. • https://www.exploit-db.com/exploits/10274 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2019-12490
https://notcve.org/view.php?id=CVE-2019-12490
22 Jan 2020 — An issue was discovered in Simple Machines Forum (SMF) before 2.0.16. Reverse tabnabbing can occur because of use of _blank for external links. Se detectó un problema en Simple Machines Forum (SMF) versiones anteriores a 2.0.16. Un tabnabbing inverso puede presentarse debido al uso de _blank para enlaces externos. • https://www.simplemachines.org/community/index.php?topic=570986.0 •
CVSS: 7.2EPSS: 4%CPEs: 1EXPL: 1CVE-2009-5068 – Simple Machines Forum (SMF) 1.1.10/2.0 RC2 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2009-5068
15 Jan 2020 — There is a file disclosure vulnerability in SMF (Simple Machines Forum) affecting versions through v2.0.3. On some configurations a SMF deployment is shared by several "co-admins" that are not trusted beyond the SMF deployment. This vulnerability allows them to read arbitrary files on the filesystem and therefore gain new privileges by reading the settings.php with the database passwords. Hay una vulnerabilidad de divulgación de archivos en SMF (Simple Machines Forum) afectando a las versiones hasta la vers... • https://www.exploit-db.com/exploits/10274 • CWE-312: Cleartext Storage of Sensitive Information •
CVSS: 8.8EPSS: 1%CPEs: 1EXPL: 1CVE-2013-7466
https://notcve.org/view.php?id=CVE-2013-7466
07 Mar 2019 — Simple Machines Forum (SMF) 2.0.4 allows local file inclusion, with resultant remote code execution, in install.php via ../ directory traversal in the db_type parameter if install.php remains present after installation. Simple Machines Forum (SMF), en su versión 2.0.4, permite la inclusión local de archivos con una ejecución remota de código resultante en install.php mediante el salto de directorio ../ en el parámetro db_type si install.php está presente después de la instalación. • http://hauntit.blogspot.com/2013/04/en-smf-204-full-disclosure.html • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2013-7467
https://notcve.org/view.php?id=CVE-2013-7467
07 Mar 2019 — Simple Machines Forum (SMF) 2.0.4 allows XSS via the index.php?action=pm;sa=settings;save sa parameter. Simple Machines Forum (SMF), en su versión 2.0.4, permite Cross-Site Scripting (XSS) mediante el parámetro sa en index.php?action=pm;sa=settings;save. • http://hauntit.blogspot.com/2013/04/en-smf-204-full-disclosure.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 1CVE-2013-7468
https://notcve.org/view.php?id=CVE-2013-7468
07 Mar 2019 — Simple Machines Forum (SMF) 2.0.4 allows PHP Code Injection via the index.php?action=admin;area=languages;sa=editlang dictionary parameter. Simple Machines Forum (SMF), en su versión 2.0.4, permite la inyección de código PHP mediante el parámetro dictionary en index.php?action=admin;area=languages;sa=editlang. • https://packetstormsecurity.com/files/121391/public_phpInjection-smf204.txt • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2018-10305
https://notcve.org/view.php?id=CVE-2018-10305
24 Apr 2018 — The MessageSearch2 function in PersonalMessage.php in Simple Machines Forum (SMF) before 2.0.15 does not properly use the possible_users variable in a query, which might allow attackers to bypass intended access restrictions. La función MessageSearch2 en PersonalMessage.php en Simple Machines Forum (SMF), en versiones anteriores a la 2.0.15, no emplea correctamente la variable possible_users en una consulta, lo que podría permitir que los atacantes omitan las restricciones de acceso planeadas. • https://www.simplemachines.org/community/index.php?topic=557176.0 •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2016-5726
https://notcve.org/view.php?id=CVE-2016-5726
09 Feb 2017 — Packages.php in Simple Machines Forum (SMF) 2.1 allows remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via the themechanges array parameter. Packages.php en Simple Machines Forum (SMF) 2.1 permite a atacantes remotos llevar a cabo ataques de inyección de objetos PHP y ejecutar código PHP arbitrario a través del parámetro de array themechanges. • http://www.openwall.com/lists/oss-security/2016/06/10/7 • CWE-94: Improper Control of Generation of Code ('Code Injection') •