CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2007-3308
https://notcve.org/view.php?id=CVE-2007-3308
21 Jun 2007 — Simple Machines Forum (SMF) 1.1.2 uses a concatenation method with insufficient randomization when creating a WAV file CAPTCHA, which allows remote attackers to pass the CAPTCHA test via an automated brute-force attack. Simple Machines Forum (SMF) 1.1.2 utiliza un método de concatenación con aleatoriedad insuficiente al crear el CAPTCHA de un fichero WAV, lo cual permite a atacantes remotos evitar el test del CAPTCHA mediante un ataque automatizado por fuerza bruta. • http://osvdb.org/40617 •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2007-3309
https://notcve.org/view.php?id=CVE-2007-3309
21 Jun 2007 — Unspecified vulnerability in Simple Machines Forum (SMF) 1.1.2 allows remote attackers to execute arbitrary PHP code during (1) creation or (2) editing of a message. Vulnerabilidad no especificada en Simple Machines Forum (SMF) 1.1.2 permite a atacantes remotos ejecutar código PHP de su elección durante la (1) creación o (2) edición de un mensaje. • http://osvdb.org/40433 •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2007-2546
https://notcve.org/view.php?id=CVE-2007-2546
09 May 2007 — Session fixation vulnerability in Simple Machines Forum (SMF) 1.1.2 and earlier allows remote attackers to hijack web sessions by setting the PHPSESSID parameter. Vulnerabilidad de fijación de sesión en Simple Machines Forum (SMF) 1.1.2 y versiones anteriores permite a atacantes remotos secuestrar sesiones web estableciendo el parámetro PHPSESSID. • http://osvdb.org/35705 • CWE-287: Improper Authentication •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2006-7013
https://notcve.org/view.php?id=CVE-2006-7013
15 Feb 2007 — QueryString.php in Simple Machines Forum (SMF) 1.0.7 and earlier, and 1.1rc2 and earlier, allows remote attackers to more easily spoof the IP address and evade banning via a modified X-Forwarded-For HTTP header, which is preferred instead of other more reliable sources for the IP address. NOTE: the original researcher claims that the vendor has disputed this issue ** IMPUGNADA ** QueryString.php de Simple Machines Forum (SMF) 1.0.7 y anteriores, y 1.1rc2 y anteriores, permite a atacantes remotos falsear más... • http://securityreason.com/securityalert/2256 •
CVSS: 6.0EPSS: 1%CPEs: 1EXPL: 1CVE-2007-0399 – SMF 1.1 - 'index.php' HTML Injection
https://notcve.org/view.php?id=CVE-2007-0399
22 Jan 2007 — Multiple cross-site scripting (XSS) vulnerabilities in index.php in Simple Machines Forum (SMF) 1.1 RC3 allow remote authenticated users to inject arbitrary web script or HTML via the (1) recipient or (2) BCC field when selecting send in a pm action. Múltiples vulnerabilidades de secuencias de comandos en sitios cruzados (XSS) en index.php de Simple Machines Forum (SMF) 1.1 RC3 permite a atacantes remotos autenticados inyectar scripts web o HTML de su elección mediante el campo (1) recipient ó (2) BCC cuand... • https://www.exploit-db.com/exploits/29499 •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 2CVE-2006-5503 – Simple Machines Forum (SMF) 1.0/1.1 - 'index.php' Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2006-5503
25 Oct 2006 — Cross-site scripting (XSS) vulnerability in index.php in Simple Machines Forum (SMF) 1.1 RC2 allows remote attackers to inject arbitrary web script or HTML via the action parameter. Vulnerabilidad en secuencias de comandos en sitios cruzados (XSS) en el archivo index.php en el Simple Machines Forum (SMF) 1.1 RC2 permite a atacantes remotos la inyección de secuencia de comandos de Web o HTML mediante el parámetro de "action". • https://www.exploit-db.com/exploits/28831 •
CVSS: 6.1EPSS: 0%CPEs: 6EXPL: 0CVE-2006-5504
https://notcve.org/view.php?id=CVE-2006-5504
25 Oct 2006 — Cross-site scripting (XSS) vulnerability in index.php in Simple Machines Forum (SMF) allows remote attackers to inject arbitrary web script or HTML via a base64 encoded params value in the action parameter. Vulnerabilidad en secuencias de comandos en sitios cruzados (XSS) en el archivo index.php en el Simple Machines Forum (SMF) permite a atacantes remotos la inyección de secuencia de comandos de Web o HTML mediante el valor en el parámetro de "action" codificado en Base64. • http://osvdb.org/31070 •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2006-4467
https://notcve.org/view.php?id=CVE-2006-4467
31 Aug 2006 — Simple Machines Forum (SMF) 1.1RCx before 1.1RC3, and 1.0.x before 1.0.8, does not properly unset variables when the input data includes a numeric parameter with a value matching an alphanumeric parameter's hash value, which allows remote attackers to perform directory traversal attacks to read arbitrary local files, lock topics, and possibly have other security impacts. NOTE: it could be argued that this vulnerability is due to a bug in the unset PHP command (CVE-2006-3017) and the proper fix should be in ... • http://retrogod.altervista.org/smf_11rc2_local_incl.html •
CVSS: 6.1EPSS: 1%CPEs: 1EXPL: 0CVE-2006-0896
https://notcve.org/view.php?id=CVE-2006-0896
25 Feb 2006 — Cross-site scripting (XSS) vulnerability in Sources/Register.php in Simple Machine Forum (SMF) 1.0.6 allows remote attackers to inject arbitrary web script or HTML via the X-Forwarded-For HTTP header field. • http://attrition.org/pipermail/vim/2006-April/000682.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2005-4159
https://notcve.org/view.php?id=CVE-2005-4159
11 Dec 2005 — NOTE: this issue has been disputed by the vendor and third parties. SQL injection vulnerability in Memberlist.php in Simple Machines Forum (SMF) 1.1 rc1 and earlier allows remote attackers to execute arbitrary SQL commands via the start parameter. NOTE: the vendor says that since only one character can be modified, there is no SQL injection. Thus this might be an "invalid SQL syntax error." Multiple followups support the vendor ** DISPUTADA ** El fabricante y terceras partes han disputado este asunto. • http://archives.neohapsis.com/archives/bugtraq/2005-12/0090.html •