CVE-2021-41866
https://notcve.org/view.php?id=CVE-2021-41866
MyBB before 1.8.28 allows stored XSS because the displayed Template Name value in the Admin CP's theme management is not escaped properly. MyBB versiones anteriores a 1.8.28, permite un ataque de tipo XSS almacenado porque el valor del Nombre de la Plantilla que se muestra en la administración de temas del CP de Administración no escapa apropiadamente • https://github.com/mybb/mybb/security/advisories https://github.com/mybb/mybb/security/advisories/GHSA-gxhv-r3m5-6qv7 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2021-39338 – MyBB Cross-Poster <= 1.0 Authenticated Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2021-39338
The MyBB Cross-Poster WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and sanitization via several parameters found in the ~/classes/MyBBXPSettings.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 1.0. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled. El plugin MyBB Cross-Poster de WordPress es vulnerable a un ataque de tipo Cross-Site Scripting Almacenado debido a una comprobación insuficiente y saneamiento de entradas por medio de diversos parámetros encontrados en el archivo ~/classes/MyBBXPSettings.php que permitían a atacantes con acceso de usuario administrativo inyectar scripts web arbitrarios, en versiones hasta la 1.0 incluyéndola. Esto afecta a las instalaciones multi-sitio en las que unfiltered_html está deshabilitado para los administradores, y a los sitios en los que unfiltered_html está deshabilitado The MyBB Cross-Poster WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and sanitization via several parameters found in the ~/classes/MyBBXPSettings.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 1.0. This affects multi-site installations where unfiltered_html is disabled for administrators and sites where unfiltered_html is disabled. • https://github.com/BigTiger2020/word-press/blob/main/MyBB%20Cross-Poster.md https://plugins.trac.wordpress.org/browser/mybb-cross-poster/trunk/classes/MyBBXPSettings.php https://www.wordfence.com/vulnerability-advisories/#CVE-2021-39338 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2020-19049
https://notcve.org/view.php?id=CVE-2020-19049
Cross Site Scripting (XSS) in MyBB v1.8.20 allows remote attackers to inject arbitrary web script or HTML via the "Description" field found in the "Add New Forum" page by doing an authenticated POST HTTP request to '/Upload/admin/index.php?module=forum-management&action=add'. Una vulnerabilidad de tipo Cross Site Scripting (XSS) en MyBB versión v1.8.20, permite a atacantes remotos inyectar script web o HTML arbitrario por medio del campo "Description" que se encuentra en la página "Add New Forum" haciendo una petición HTTP POST autenticada a "/Upload/admin/index.php?module=forum-management&action=add" • https://github.com/joelister/bug/issues/2 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2020-19048
https://notcve.org/view.php?id=CVE-2020-19048
Cross Site Scripting (XSS) in MyBB v1.8.20 allows remote attackers to inject arbitrary web script or HTML via the "Title" field found in the "Add New Forum" page by doing an authenticated POST HTTP request to '/Upload/admin/index.php?module=forum-management&action=add'. Una vulnerabilidad de tipo Cross Site Scripting (XSS) en MyBB versión v1.8.20, permite a atacantes remotos inyectar script web o HTML arbitrario por medio del campo "Title" que se encuentra en la página "Add New Forum" haciendo una petición HTTP POST autenticada a "/Upload/admin/index.php?module=forum-management&action=add" • https://github.com/joelister/bug/issues/1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2021-27949
https://notcve.org/view.php?id=CVE-2021-27949
Cross-site Scripting vulnerability in MyBB before 1.8.26 via Custom moderator tools. Una vulnerabilidad de tipo Cross-site Scripting en MyBB versiones anteriores a 1.8.26, por medio de las herramientas de moderación Custom • https://github.com/mybb/mybb/security/advisories/GHSA-cmmr-39v8-8rx2 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •