CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2019-20225
https://notcve.org/view.php?id=CVE-2019-20225
02 Jan 2020 — MyBB before 1.8.22 allows an open redirect on login. MyBB versiones anteriores a la versión 1.8.22, permite un redireccionamiento abierto sobre el inicio de sesión. • https://blog.mybb.com/2019/12/30/mybb-1-8-22-released-security-maintenance-release • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2019-12363
https://notcve.org/view.php?id=CVE-2019-12363
11 Jul 2019 — An CSRF issue was discovered in the JN-Jones MyBB-2FA plugin through 2014-11-05 for MyBB. An attacker can forge a request to an installed mybb2fa plugin to control its state via usercp.php?action=mybb2fa&do=deactivate (or usercp.php?action=mybb2fa&do=activate). A deactivate operation lowers the security of the targeted account by disabling two factor authentication. • https://community.mybb.com/thread-162369.html • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1CVE-2019-12831
https://notcve.org/view.php?id=CVE-2019-12831
15 Jun 2019 — In MyBB before 1.8.21, an attacker can abuse a default behavior of MySQL on many systems (that leads to truncation of strings that are too long for a database column) to create a PHP shell in the cache directory of a targeted forum via a crafted XML import, as demonstrated by truncation of aaaaaaaaaaaaaaaaaaaaaaaaaa.php.css to aaaaaaaaaaaaaaaaaaaaaaaaaa.php with a 30-character limit, aka theme import stylesheet name RCE. En MyBB anterior a versión 1.8.21, un atacante puede abusar de un comportamiento por de... • https://blog.mybb.com/2019/06/10/mybb-1-8-21-released-security-maintenance-release • CWE-20: Improper Input Validation •
CVSS: 8.7EPSS: 0%CPEs: 1EXPL: 1CVE-2019-12830
https://notcve.org/view.php?id=CVE-2019-12830
15 Jun 2019 — In MyBB before 1.8.21, an attacker can exploit a parsing flaw in the Private Message / Post renderer that leads to [video] BBCode persistent XSS to take over any forum account, aka a nested video MyCode issue. En MyBB anterior a 1.8.21, un atacante puede aprovechar un fallo de análisis en el renderizador de Publicación y Mensaje Privado que conlleva a un ataque XSS persistente de BBCode de [video] para controlar cualquier cuenta del foro, también se conoce como un problema de video anidado de MyCode. • https://blog.mybb.com/2019/06/10/mybb-1-8-21-released-security-maintenance-release • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2019-3578
https://notcve.org/view.php?id=CVE-2019-3578
06 Jun 2019 — MyBB 1.8.19 has XSS in the resetpassword function. MyBB 1.8.19 tiene el XSSS en la función de restablecimiento de contraseña • https://blog.mybb.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2019-3579
https://notcve.org/view.php?id=CVE-2019-3579
06 Jun 2019 — MyBB 1.8.19 allows remote attackers to obtain sensitive information because it discloses the username upon receiving a password-reset request that lacks the code parameter. MyBB 1.8.19 permite que los atacantes remotos puedan obtener información confidencial porque revelar el nombre de usuario al recibir una petición de restablecimiento de contraseña que carece de los parámetros de código • https://blog.mybb.com • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2018-19202
https://notcve.org/view.php?id=CVE-2018-19202
11 Apr 2019 — A reflected XSS vulnerability in index.php in MyBB 1.8.x through 1.8.19 allows remote attackers to inject JavaScript via the 'upsetting[bburl]' parameter. Una vulnerabilidad de tipo XSS reflejada en el archivo index.php en MyBB versión 1.8.x hasta la 1.8.19, permite a atacantes remotos inyectar JavaScript por medio del parámetro 'upsetting[bburl]'. • https://blog.mybb.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2018-19201
https://notcve.org/view.php?id=CVE-2018-19201
29 Mar 2019 — A reflected XSS vulnerability in the ModCP Profile Editor in MyBB before 1.8.20 allows remote attackers to inject JavaScript via the 'username' parameter. Una vulnerabilidad de XSS reflejado en el editor "ModCP Profile", en versiones anteriores a la 1.8.20, permite a los atacantes remotos inyectar código JavaScript en el parámetro "username". • https://blog.mybb.com/2019/02/27/mybb-1-8-20-released-security-maintenance-release • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2018-14724
https://notcve.org/view.php?id=CVE-2018-14724
18 Mar 2019 — In the Ban List plugin 1.0 for MyBB, any forum user with mod privileges can ban users and input an XSS payload into the ban reason, which is executed on the bans.php page. En el plugin Ban List 1.0 para MyBB, cualquier usuario del foro con privilegios de mod puede bloquear usuarios e introducir una carga útil XSS en el motivo del bloqueo, que se ejecuta en la página bans.php. • https://www.exploit-db.com/exploits/46347 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 4%CPEs: 1EXPL: 3CVE-2018-14575 – MyBB Trash Bin Plugin 1.1.3 - Cross-Site Scripting / Cross-Site Request Forgery
https://notcve.org/view.php?id=CVE-2018-14575
16 Feb 2019 — Trash Bin plugin 1.1.3 for MyBB has cross-site scripting (XSS) via a thread subject and a cross-site request forgery (CSRF) via a post subject. El plugin Trash Bin 1.1.3 para MyBB tiene Cross-Site Scripting (XSS) mediante un asunto de hilo y Cross-Site Request Forgery (CSRF) mediante un asunto de publicación. MyBB Trash Bin plugin version 1.1.3 suffers from cross site request forgery and cross site scripting vulnerabilities. • https://packetstorm.news/files/id/151704 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-352: Cross-Site Request Forgery (CSRF) •