CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2023-41362
https://notcve.org/view.php?id=CVE-2023-41362
MyBB before 1.8.36 allows Code Injection by users with certain high privileges. Templates in Admin CP intentionally use eval, and there was some validation of the input to eval, but type juggling interfered with this when using PCRE within PHP. MyBB anterior a 1.8.36 permite la inyección de código por parte de usuarios con ciertos privilegios elevados. Las plantillas en Admin CP usan intencionalmente eval, y hubo cierta validación de la entrada para eval, pero el malabarismo de tipos interfirió con esto cuando se usaba PCRE dentro de PHP. • https://blog.sorcery.ie/posts/mybb_acp_rce https://github.com/mybb/mybb/commit/a43a6f22944e769a6eabc58c39e7bc18c1cab4ca.patch https://github.com/mybb/mybb/security/advisories/GHSA-pr74-wvp3-q6f5 https://mybb.com/versions/1.8.36 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2023-28467
https://notcve.org/view.php?id=CVE-2023-28467
In MyBB before 1.8.34, there is XSS in the User CP module via the user email field. • https://github.com/ahmetaltuntas/CVE-2023-28467 https://github.com/mybb/mybb/security/advisories/GHSA-3q8x-9fh2-v646 https://mybb.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2022-45867
https://notcve.org/view.php?id=CVE-2022-45867
MyBB before 1.8.33 allows Directory Traversal. The Admin CP Languages module allows remote authenticated users, with high privileges, to achieve local file inclusion and execution. • https://github.com/mybb/mybb/security/advisories/GHSA-cpfv-6f8w-759r • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2022-43708
https://notcve.org/view.php?id=CVE-2022-43708
MyBB 1.8.31 has a (issue 2 of 2) cross-site scripting (XSS) vulnerabilities in the post Attachments interface allow attackers to inject HTML by persuading the user to upload a file with specially crafted name MyBB 1.8.31 tiene (problema 2 de 2) vulnerabilidades de Cross-Site Scripting (XSS) en la interfaz de archivos adjuntos que permite a los atacantes inyectar HTML persuadiendo al usuario a cargar un archivo con un nombre especialmente manipulado. • https://github.com/mybb/mybb/security/advisories/GHSA-p9m7-9qv4-x93w https://mybb.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.9EPSS: 0%CPEs: 1EXPL: 0CVE-2022-43709
https://notcve.org/view.php?id=CVE-2022-43709
MyBB 1.8.31 has a SQL injection vulnerability in the Admin CP's Users module allows remote authenticated users to modify the query string via direct user input or stored search filter settings. MyBB 1.8.31 tiene una vulnerabilidad de inyección SQL en el módulo Usuarios del Admin CP que permite a los usuarios remotos autenticados modificar la cadena de consulta mediante la entrada directa del usuario o la configuración del filtro de búsqueda almacenada. • https://github.com/mybb/mybb/security/advisories/GHSA-ggp5-454p-867v https://mybb.com • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •