CVSS: 4.3EPSS: 0%CPEs: 31EXPL: 0CVE-2008-1485
https://notcve.org/view.php?id=CVE-2008-1485
Cross-site scripting (XSS) vulnerability in PunBB 1.2.16 and earlier allows remote attackers to inject arbitrary web script or HTML via the get_host parameter to moderate.php. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en PunBB 1.2.16 y anteriores permite a atacantes remotos inyectar secuencias de comandos web o HTML a través del parámetro get_host parameter a moderate.php. • http://osvdb.org/45561 http://punbb.org/download/changelogs/1.2.16_to_1.2.17.txt http://secunia.com/advisories/29043 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2007-2235
https://notcve.org/view.php?id=CVE-2007-2235
Multiple cross-site scripting (XSS) vulnerabilities in PunBB 1.2.14 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) Referer HTTP header to misc.php or the (2) category name when deleting a category in admin_categories.php. Múltiples vulnerabilidades de secuencias de comandos en sitios cruzados (XSS) en el PunBB 1.2.14 y versiones anteriores permite a atacantes remotos la inyección de secuencias de comandos web o HTML de su elección a través de (1) una cabecera Referer HTTP en el misc.php o (2) la categoría nombre ("name") cuando se borra una categoría del admin_categories.php. • http://dev.punbb.org/changeset/934 http://dev.punbb.org/changeset/938 http://secunia.com/advisories/24843 http://securityreason.com/securityalert/2613 http://www.acid-root.new.fr/advisories/13070411.txt http://www.securityfocus.com/archive/1/465338/100/100/threaded http://www.securityfocus.com/archive/1/465400/100/100/threaded http://www.vupen.com/english/advisories/2007/1362 •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2007-2234
https://notcve.org/view.php?id=CVE-2007-2234
include/common.php in PunBB 1.2.14 and earlier does not properly handle a disabled ini_get function when checking the register_globals setting, which allows remote attackers to register global parameters, as demonstrated by an SQL injection attack on the search_id parameter to search.php. include/common.php en PunBB 1.2.14 y anteriores no maneja adecuadamente una función deshabilitada ini_get cuando valida la configuración register_globals, lo cual permite a atacantes remotos registrar parámetros globales, como se demostró con el ataque de inyección SQL en el parámetro search_id en search.php. • http://dev.punbb.org/changeset/933 http://securityreason.com/securityalert/2613 http://www.acid-root.new.fr/advisories/13070411.txt http://www.securityfocus.com/archive/1/465338/100/100/threaded http://www.securityfocus.com/archive/1/465400/100/100/threaded •
CVSS: 6.8EPSS: 2%CPEs: 1EXPL: 0CVE-2007-2236
https://notcve.org/view.php?id=CVE-2007-2236
footer.php in PunBB 1.2.14 and earlier allows remote attackers to include local files in include/user/ via a cross-site scripting (XSS) attack, or via the pun_include tag, as demonstrated by use of admin_options.php to execute PHP code from an uploaded avatar file. footer.php de PunBB 1.2.14 y versiones anteriores permite a atacantes remotos incluir ficheros locales en include/user/ mediante un ataque de secuencias de comandos en sitios cruzados (XSS), ó mediante la etiqueta pun_include, como se demuestra al usar admin_options.php para ejecutar código PHP de un fichero avatar promocionado. • http://dev.punbb.org/changeset/937 http://secunia.com/advisories/24843 http://securityreason.com/securityalert/2613 http://www.acid-root.new.fr/advisories/13070411.txt http://www.securityfocus.com/archive/1/465338/100/100/threaded http://www.securityfocus.com/archive/1/465400/100/100/threaded http://www.vupen.com/english/advisories/2007/1362 •
CVSS: 5.1EPSS: 1%CPEs: 29EXPL: 2CVE-2006-5736
https://notcve.org/view.php?id=CVE-2006-5736
SQL injection vulnerability in search.php in PunBB before 1.2.14, when the PHP installation is vulnerable to CVE-2006-3017, allows remote attackers to execute arbitrary SQL commands via the result_list array parameter, which is not initialized. Vulnerabilidad de inyección SQL en search.php en PunBB anetrior a 1.2.14, cuando la instalación de PHP es vulnerable a CVE-2006-3017, permite a atacantes remotos ejecutar comandos SQL de su elección mediante el parámetro array result_list, que no se inicializa. • http://securityreason.com/securityalert/1824 http://securitytracker.com/id?1017131 http://www.osvdb.org/30133 http://www.punbb.org/changelogs/1.2.13_to_1.2.14.txt http://www.securityfocus.com/archive/1/450055/100/0/threaded http://www.vupen.com/english/advisories/2006/4256 http://www.wargan.org/index.php/2006/10/29/4-punbb-1213-multiple-vulnerabilities •