CVSS: 7.2EPSS: 2%CPEs: 1EXPL: 2CVE-2022-26982 – SimpleMachinesForum v2.1.1 - Authenticated Remote Code Execution
https://notcve.org/view.php?id=CVE-2022-26982
SimpleMachinesForum 2.1.1 and earlier allows remote authenticated administrators to execute arbitrary code by inserting a vulnerable php code because the themes can be modified by an administrator. NOTE: the vendor's position is that administrators are intended to have the ability to modify themes, and can thus choose any PHP code that they wish to have executed on the server. SimpleMachinesForum versiones 2.1.1 y anteriores, permiten a administradores remotos autenticados ejecutar código arbitrario al insertar un código php vulnerable porque los temas pueden ser modificados por un administrador SimpleMachinesForum version 2.1.1 suffers from an authenticated remote code execution vulnerability. • https://www.exploit-db.com/exploits/51057 http://packetstormsecurity.com/files/171486/SimpleMachinesForum-2.1.1-Remote-Code-Execution.html https://github.com/sartlabs/0days/blob/main/SimpleMachinesForum/Exploit.txt • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2016-5727
https://notcve.org/view.php?id=CVE-2016-5727
LogInOut.php in Simple Machines Forum (SMF) 2.1 allows remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via vectors related to variables derived from user input in a foreach loop. LogInOut.php en Simple Machines Forum (SMF) 2.1 permite a atacantes remotos llevar a cabo ataques de inyección de objetos PHP y ejecutar código PHP arbitrario a través de vectores relacionados con las variables derivadas de la entrada del usuario en un bucle foreach. • http://www.openwall.com/lists/oss-security/2016/06/10/7 http://www.openwall.com/lists/oss-security/2016/06/18/1 https://github.com/SimpleMachines/SMF2.1/commit/19e560b9f3e8fc6d7d9d60c1ff617b5ed5c08008#diff-513c4f9c501cbefcc14420c01848f23c https://github.com/SimpleMachines/SMF2.1/issues/3522 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2016-5726
https://notcve.org/view.php?id=CVE-2016-5726
Packages.php in Simple Machines Forum (SMF) 2.1 allows remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via the themechanges array parameter. Packages.php en Simple Machines Forum (SMF) 2.1 permite a atacantes remotos llevar a cabo ataques de inyección de objetos PHP y ejecutar código PHP arbitrario a través del parámetro de array themechanges. • http://www.openwall.com/lists/oss-security/2016/06/10/7 http://www.openwall.com/lists/oss-security/2016/06/18/1 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 4.6EPSS: 0%CPEs: 48EXPL: 0CVE-2013-4465
https://notcve.org/view.php?id=CVE-2013-4465
Unrestricted file upload vulnerability in the avatar upload functionality in Simple Machines Forum before 2.0.6 and 2.1 allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in an unspecified directory. vulnerabilidad de subida sin restricción de archivos en la funcionalidad avatar upload en Simple Machines Forum antes de 2.0.6 y 2.1 que permite a los usuarios remotos autenticados ejecutar código arbitrario mediante la carga de un archivo con una extensión ejecutable , y a continuación, acceder a él a través de una petición directa al archivo en un directorio no especificado . • http://download.simplemachines.org/index.php?thanks%3Bfilename=smf_2-0-6_changelog.txt http://www.openwall.com/lists/oss-security/2013/10/23/6 http://www.openwall.com/lists/oss-security/2013/10/25/3 http://www.securityfocus.com/bid/63275 https://github.com/SimpleMachines/SMF2.1/issues/701 •