CVE-2023-41362
https://notcve.org/view.php?id=CVE-2023-41362
MyBB before 1.8.36 allows Code Injection by users with certain high privileges. Templates in Admin CP intentionally use eval, and there was some validation of the input to eval, but type juggling interfered with this when using PCRE within PHP. MyBB anterior a 1.8.36 permite la inyección de código por parte de usuarios con ciertos privilegios elevados. Las plantillas en Admin CP usan intencionalmente eval, y hubo cierta validación de la entrada para eval, pero el malabarismo de tipos interfirió con esto cuando se usaba PCRE dentro de PHP. • https://blog.sorcery.ie/posts/mybb_acp_rce https://github.com/mybb/mybb/commit/a43a6f22944e769a6eabc58c39e7bc18c1cab4ca.patch https://github.com/mybb/mybb/security/advisories/GHSA-pr74-wvp3-q6f5 https://mybb.com/versions/1.8.36 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2023-28467
https://notcve.org/view.php?id=CVE-2023-28467
In MyBB before 1.8.34, there is XSS in the User CP module via the user email field. • https://github.com/ahmetaltuntas/CVE-2023-28467 https://github.com/mybb/mybb/security/advisories/GHSA-3q8x-9fh2-v646 https://mybb.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2022-28354 – MyBB Active Threads 1.3.0 Cross Site Scripting
https://notcve.org/view.php?id=CVE-2022-28354
In the Active Threads Plugin 1.3.0 for MyBB, the activethreads.php date parameter is vulnerable to XSS when setting a time period. MyBB Active Threads plugin version 1.3.0 suffers from a cross site scripting vulnerability. • http://packetstormsecurity.com/files/171402/MyBB-Active-Threads-1.3.0-Cross-Site-Scripting.html https://community.mybb.com/mods.php?action=view&pid=1336 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2022-45867
https://notcve.org/view.php?id=CVE-2022-45867
MyBB before 1.8.33 allows Directory Traversal. The Admin CP Languages module allows remote authenticated users, with high privileges, to achieve local file inclusion and execution. • https://github.com/mybb/mybb/security/advisories/GHSA-cpfv-6f8w-759r • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2022-43707
https://notcve.org/view.php?id=CVE-2022-43707
MyBB 1.8.31 has a Cross-site scripting (XSS) vulnerability in the visual MyCode editor (SCEditor) allows remote attackers to inject HTML via user input or stored data MyBB 1.8.31 tiene una vulnerabilidad de Cross-Site Scripting (XSS) en el editor visual MyCode (SCEditor) que permite a atacantes remotos inyectar HTML a través de la entrada del usuario o datos almacenados. • https://github.com/mybb/mybb/security/advisories/GHSA-6vpw-m83q-27px https://mybb.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •