CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 1CVE-2017-8104
https://notcve.org/view.php?id=CVE-2017-8104
In MyBB before 1.8.11, the smilie module allows Directory Traversal via the pathfolder parameter. En MyBB en versiones anteriores a 1.8.11, el módulo smilie permite Salto de Directorio a través del parámetro pathfolder. • http://seclists.org/fulldisclosure/2017/Apr/55 http://www.securityfocus.com/bid/98045 https://blog.mybb.com/2017/04/04/mybb-1-8-11-merge-system-1-8-11-release • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2017-8103
https://notcve.org/view.php?id=CVE-2017-8103
In MyBB before 1.8.11, the Email MyCode component allows XSS, as demonstrated by an onmouseover event. En MyBB en versiones anteriores a 1.8.11, el componente Email MyCode permite XSS, como lo demuestra un evento onmouseover. • http://seclists.org/fulldisclosure/2017/Apr/53 https://blog.mybb.com/2017/04/04/mybb-1-8-11-merge-system-1-8-11-release • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.7EPSS: 0%CPEs: 1EXPL: 1CVE-2017-7566 – MyBB 1.8.10 Server-Side Request Forgery
https://notcve.org/view.php?id=CVE-2017-7566
MyBB before 1.8.11 allows remote attackers to bypass an SSRF protection mechanism. MyBB en versiones anteriores a 1.8.11 permite a atacantes remotos evitar un mecanismo de protección SSRF. MyBB version 1.8.10 suffers from a server-side request forgery vulnerability. • http://www.securityfocus.com/bid/97480 https://blog.mybb.com/2017/04/04/mybb-1-8-11-merge-system-1-8-11-release https://github.com/mybb/mybb/commit/f5de8fc2aad11e0d2583f585535ccfa2b46325db#diff-7fe6e55397c77ab9a0f5d57bc4cbe5b9R6781 https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20170407-0_MyBB_SSRF_vulnerability_v10.txt • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 8.3EPSS: 0%CPEs: 8EXPL: 0CVE-2015-8973
https://notcve.org/view.php?id=CVE-2015-8973
xmlhttp.php in MyBB (aka MyBulletinBoard) before 1.6.18 and 1.8.x before 1.8.6 and MyBB Merge System before 1.8.6 allows remote attackers to bypass intended access restrictions via vectors related to the forum password. xmlhttp.php en MyBB (también conocido como MyBulletinBoard) en versiones anteriores a 1.6.18 y 1.8.x en versiones anteriores a 1.8.6 y MyBB Merge System en versiones anteriores a 1.8.6 permite a atacantes remotos eludir las restricciones de acceso previstas a través de vectores relacionados con la contraseña del foro. • http://www.openwall.com/lists/oss-security/2016/11/10/8 http://www.openwall.com/lists/oss-security/2016/11/18/1 http://www.securityfocus.com/bid/94397 https://blog.mybb.com/2015/09/07/mybb-1-8-6-1-6-18-merge-system-1-8-6-release • CWE-284: Improper Access Control •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2016-9418
https://notcve.org/view.php?id=CVE-2016-9418
MyBB (aka MyBulletinBoard) before 1.8.8 on Windows and MyBB Merge System before 1.8.8 on Windows might allow remote attackers to obtain sensitive information from ACP backups via vectors involving a short name. MyBB (también conocido como MyBulletinBoard) en versiones anteriores a 1.8.8 en Windows y MyBB Merge System en versiones anteriores a 1.8.8 en Windows podrían permitir a atacantes remotos obtener información sensible de las copias de seguridad de ACP a través de vectores que implican un nombre corto. • http://www.openwall.com/lists/oss-security/2016/11/10/8 http://www.openwall.com/lists/oss-security/2016/11/18/1 http://www.securityfocus.com/bid/94396 https://blog.mybb.com/2016/10/17/mybb-1-8-8-merge-system-1-8-8-release • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •