CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 2CVE-2021-27946 – MyBB 1.8.25 - Poll Vote Count SQL Injection
https://notcve.org/view.php?id=CVE-2021-27946
SQL Injection vulnerability in MyBB before 1.8.26 via poll vote count. (issue 1 of 3). Una vulnerabilidad de inyección SQL en MyBB, versiones anteriores a 1.8.26, mediante el recuento de votos de la encuesta. (número 1 de 3) MyBB version 1.8.25 suffers from a remote SQL injection vulnerability. • https://www.exploit-db.com/exploits/49699 http://packetstormsecurity.com/files/161918/MyBB-1.8.25-SQL-Injection.html https://github.com/mybb/mybb/security/advisories/GHSA-23m9-w75q-ph4p • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 2CVE-2021-27890 – MyBB 1.8.25 - Chained Remote Command Execution
https://notcve.org/view.php?id=CVE-2021-27890
SQL Injection vulnerablity in MyBB before 1.8.26 via theme properties included in theme XML files. Una vulnerabilidad de inyección SQL en MyBB versiones anteriores a 1.8.26, mediante las propiedades del tema incluyendo en los archivos XML del tema • https://www.exploit-db.com/exploits/49696 http://packetstormsecurity.com/files/161908/MyBB-1.8.25-Remote-Command-Execution.html https://blog.sonarsource.com/mybb-remote-code-execution-chain https://github.com/mybb/mybb/security/advisories/GHSA-r34m-ccm8-mfhq • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 3CVE-2021-27889 – MyBB 1.8.25 - Chained Remote Command Execution
https://notcve.org/view.php?id=CVE-2021-27889
Cross-site Scripting (XSS) vulnerability in MyBB before 1.8.26 via Nested Auto URL when parsing messages. Una vulnerabilidad de tipo Cross-site Scripting (XSS) en MyBB versiones anteriores a 1.8.26 a través de Nested Auto URL cuando se analizan los mensajes • https://www.exploit-db.com/exploits/49696 http://packetstormsecurity.com/files/161908/MyBB-1.8.25-Remote-Command-Execution.html https://blog.sonarsource.com/mybb-remote-code-execution-chain https://github.com/mybb/mybb/security/advisories/GHSA-xhj7-3349-mqcm • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2021-27279
https://notcve.org/view.php?id=CVE-2021-27279
MyBB before 1.8.25 allows stored XSS via nested [email] tags with MyCode (aka BBCode). MyBB versiones anteriores a 1.8.25, permite un ataque de tipo XSS almacenado por medio de etiquetas [correo electrónico] anidadas con MyCode (también se conoce como BBCode) • https://github.com/mybb/mybb/commit/cb781b49116bf5c4d8deca3e17498122b701677a https://github.com/mybb/mybb/security/advisories/GHSA-6483-hcpp-p75w https://mybb.com/versions/1.8.25 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2020-15139 – XSS in MyBB
https://notcve.org/view.php?id=CVE-2020-15139
In MyBB before version 1.8.24, the custom MyCode (BBCode) for the visual editor doesn't escape input properly when rendering HTML, resulting in a DOM-based XSS vulnerability. The weakness can be exploited by pointing a victim to a page where the visual editor is active (e.g. as a post or Private Message) and operates on a maliciously crafted MyCode message. This may occur on pages where message content is pre-filled using a GET/POST parameter, or on reply pages where a previously saved malicious message is quoted. After upgrading MyBB to 1.8.24, make sure to update the version attribute in the `codebuttons` template for non-default themes to serve the latest version of the patched `jscripts/bbcodes_sceditor.js` file. En MyBB anterior a la versión 1.8.24, el MyCode (BBCode) personalizado para el editor visual no escapa la entrada correctamente cuando renderiza HTML, lo que genera una vulnerabilidad de tipo XSS basada en DOM. • https://github.com/mybb/mybb/commit/37ad29dcd25489a37bdd89ebac761f22492558b0 https://github.com/mybb/mybb/security/advisories/GHSA-37h7-vfv6-f8rj https://mybb.com/versions/1.8.24 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •