CVE-2023-41362
https://notcve.org/view.php?id=CVE-2023-41362
MyBB before 1.8.36 allows Code Injection by users with certain high privileges. Templates in Admin CP intentionally use eval, and there was some validation of the input to eval, but type juggling interfered with this when using PCRE within PHP. MyBB anterior a 1.8.36 permite la inyección de código por parte de usuarios con ciertos privilegios elevados. Las plantillas en Admin CP usan intencionalmente eval, y hubo cierta validación de la entrada para eval, pero el malabarismo de tipos interfirió con esto cuando se usaba PCRE dentro de PHP. • https://blog.sorcery.ie/posts/mybb_acp_rce https://github.com/mybb/mybb/commit/a43a6f22944e769a6eabc58c39e7bc18c1cab4ca.patch https://github.com/mybb/mybb/security/advisories/GHSA-pr74-wvp3-q6f5 https://mybb.com/versions/1.8.36 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2023-28467
https://notcve.org/view.php?id=CVE-2023-28467
In MyBB before 1.8.34, there is XSS in the User CP module via the user email field. • https://github.com/ahmetaltuntas/CVE-2023-28467 https://github.com/mybb/mybb/security/advisories/GHSA-3q8x-9fh2-v646 https://mybb.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2022-45867
https://notcve.org/view.php?id=CVE-2022-45867
MyBB before 1.8.33 allows Directory Traversal. The Admin CP Languages module allows remote authenticated users, with high privileges, to achieve local file inclusion and execution. • https://github.com/mybb/mybb/security/advisories/GHSA-cpfv-6f8w-759r • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2022-43707
https://notcve.org/view.php?id=CVE-2022-43707
MyBB 1.8.31 has a Cross-site scripting (XSS) vulnerability in the visual MyCode editor (SCEditor) allows remote attackers to inject HTML via user input or stored data MyBB 1.8.31 tiene una vulnerabilidad de Cross-Site Scripting (XSS) en el editor visual MyCode (SCEditor) que permite a atacantes remotos inyectar HTML a través de la entrada del usuario o datos almacenados. • https://github.com/mybb/mybb/security/advisories/GHSA-6vpw-m83q-27px https://mybb.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2022-43708
https://notcve.org/view.php?id=CVE-2022-43708
MyBB 1.8.31 has a (issue 2 of 2) cross-site scripting (XSS) vulnerabilities in the post Attachments interface allow attackers to inject HTML by persuading the user to upload a file with specially crafted name MyBB 1.8.31 tiene (problema 2 de 2) vulnerabilidades de Cross-Site Scripting (XSS) en la interfaz de archivos adjuntos que permite a los atacantes inyectar HTML persuadiendo al usuario a cargar un archivo con un nombre especialmente manipulado. • https://github.com/mybb/mybb/security/advisories/GHSA-p9m7-9qv4-x93w https://mybb.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •