Page 7 of 36 results (0.013 seconds)

CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 2

Cross-site scripting (XSS) vulnerability in index.php in Simple Machines Forum (SMF) 1.1 RC2 allows remote attackers to inject arbitrary web script or HTML via the action parameter. Vulnerabilidad en secuencias de comandos en sitios cruzados (XSS) en el archivo index.php en el Simple Machines Forum (SMF) 1.1 RC2 permite a atacantes remotos la inyección de secuencia de comandos de Web o HTML mediante el parámetro de "action". • https://www.exploit-db.com/exploits/28831 http://securityreason.com/securityalert/1772 http://www.securityfocus.com/archive/1/449241/100/0/threaded http://www.securityfocus.com/bid/20629 https://exchange.xforce.ibmcloud.com/vulnerabilities/29690 •

CVSS: 4.3EPSS: 0%CPEs: 6EXPL: 0

Cross-site scripting (XSS) vulnerability in index.php in Simple Machines Forum (SMF) allows remote attackers to inject arbitrary web script or HTML via a base64 encoded params value in the action parameter. Vulnerabilidad en secuencias de comandos en sitios cruzados (XSS) en el archivo index.php en el Simple Machines Forum (SMF) permite a atacantes remotos la inyección de secuencia de comandos de Web o HTML mediante el valor en el parámetro de "action" codificado en Base64. • http://osvdb.org/31070 http://www.securityfocus.com/archive/1/449307/100/0/threaded http://www.securityfocus.com/archive/1/449395/100/0/threaded http://www.securityfocus.com/archive/1/449478/100/0/threaded https://exchange.xforce.ibmcloud.com/vulnerabilities/29689 •

CVSS: 7.5EPSS: 1%CPEs: 2EXPL: 0

Simple Machines Forum (SMF) 1.1RCx before 1.1RC3, and 1.0.x before 1.0.8, does not properly unset variables when the input data includes a numeric parameter with a value matching an alphanumeric parameter's hash value, which allows remote attackers to perform directory traversal attacks to read arbitrary local files, lock topics, and possibly have other security impacts. NOTE: it could be argued that this vulnerability is due to a bug in the unset PHP command (CVE-2006-3017) and the proper fix should be in PHP; if so, then this should not be treated as a vulnerability in Simple Machines Forum. Simple Machines Forum (SMF) 1.1RCx anterior a 1.1RC3, y 1.0.x anterior a 1.0.8, no asigna correctamente variables cuando los datos de entrada incluyen un parámetro numérico con un valor que empareja el valor del hash de un parámetro alfanumérico, lo cual permite a un atacante remoto llevar a cabo ataques de directorio transversal para leer archivos locales de su elección, bloquear asuntos, y tener posiblemente otros impactos de seguridad. NOTA: podría ser discutido que esta vulnerabilidad es debida a un fallo en el comando unset de PHP (CVE-2006-3017) y la solución apropiada debe estar en el PHP; si es así entonces esto no se debe tratar como vulnerabilidad en Simple Machines Forum. • http://retrogod.altervista.org/smf_11rc2_local_incl.html http://retrogod.altervista.org/smf_11rc2_lock.html http://securityreason.com/securityalert/1475 http://www.securityfocus.com/archive/1/444053/100/100/threaded http://www.simplemachines.org/community/index.php?topic=107112.0 http://www.simplemachines.org/community/index.php?topic=107135.0 •

CVSS: 4.3EPSS: 1%CPEs: 1EXPL: 0

Cross-site scripting (XSS) vulnerability in Sources/Register.php in Simple Machine Forum (SMF) 1.0.6 allows remote attackers to inject arbitrary web script or HTML via the X-Forwarded-For HTTP header field. Simple Machines Forum, or SMF, version 1.0.6 is susceptible to a cross site scripting vulnerable in the X-Forwarded-For directive that can be used to commit attacks against an administrator. • http://attrition.org/pipermail/vim/2006-April/000682.html http://evuln.com/vulns/86/summary.html http://secunia.com/advisories/19004 http://securityreason.com/securityalert/545 http://www.osvdb.org/23480 http://www.securityfocus.com/archive/1/426824/100/0/threaded http://www.securityfocus.com/bid/16841 http://www.simplemachines.org/community/index.php?topic=78841.0 http://www.vupen.com/english/advisories/2006/0726 https://exchange.xforce.ibmcloud.com/vulnerabilities/24915 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0

NOTE: this issue has been disputed by the vendor and third parties. SQL injection vulnerability in Memberlist.php in Simple Machines Forum (SMF) 1.1 rc1 and earlier allows remote attackers to execute arbitrary SQL commands via the start parameter. NOTE: the vendor says that since only one character can be modified, there is no SQL injection. Thus this might be an "invalid SQL syntax error." Multiple followups support the vendor ** DISPUTADA ** El fabricante y terceras partes han disputado este asunto. • http://archives.neohapsis.com/archives/bugtraq/2005-12/0090.html http://www.securityfocus.com/archive/1/419068/100/0/threaded http://www.securityfocus.com/archive/1/419105/100/0/threaded http://www.securityfocus.com/archive/1/419250/100/0/threaded http://www.securityfocus.com/archive/1/419535/100/0/threaded http://www.securityfocus.com/bid/15791 https://exchange.xforce.ibmcloud.com/vulnerabilities/23546 •