CVE-2018-19202
https://notcve.org/view.php?id=CVE-2018-19202
A reflected XSS vulnerability in index.php in MyBB 1.8.x through 1.8.19 allows remote attackers to inject JavaScript via the 'upsetting[bburl]' parameter. Una vulnerabilidad de tipo XSS reflejada en el archivo index.php en MyBB versión 1.8.x hasta la 1.8.19, permite a atacantes remotos inyectar JavaScript por medio del parámetro 'upsetting[bburl]'. • https://blog.mybb.com https://mybb.com/versions/1.8.20 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2018-19201
https://notcve.org/view.php?id=CVE-2018-19201
A reflected XSS vulnerability in the ModCP Profile Editor in MyBB before 1.8.20 allows remote attackers to inject JavaScript via the 'username' parameter. Una vulnerabilidad de XSS reflejado en el editor "ModCP Profile", en versiones anteriores a la 1.8.20, permite a los atacantes remotos inyectar código JavaScript en el parámetro "username". • https://blog.mybb.com/2019/02/27/mybb-1-8-20-released-security-maintenance-release https://github.com/mybb/mybb/blob/feature/SECURITY.md#technical-details-of-known-issues • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2018-14724
https://notcve.org/view.php?id=CVE-2018-14724
In the Ban List plugin 1.0 for MyBB, any forum user with mod privileges can ban users and input an XSS payload into the ban reason, which is executed on the bans.php page. En el plugin Ban List 1.0 para MyBB, cualquier usuario del foro con privilegios de mod puede bloquear usuarios e introducir una carga útil XSS en el motivo del bloqueo, que se ejecuta en la página bans.php. • https://www.exploit-db.com/exploits/46347 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2018-14575 – MyBB Trash Bin Plugin 1.1.3 - Cross-Site Scripting / Cross-Site Request Forgery
https://notcve.org/view.php?id=CVE-2018-14575
Trash Bin plugin 1.1.3 for MyBB has cross-site scripting (XSS) via a thread subject and a cross-site request forgery (CSRF) via a post subject. El plugin Trash Bin 1.1.3 para MyBB tiene Cross-Site Scripting (XSS) mediante un asunto de hilo y Cross-Site Request Forgery (CSRF) mediante un asunto de publicación. MyBB Trash Bin plugin version 1.1.3 suffers from cross site request forgery and cross site scripting vulnerabilities. • https://www.exploit-db.com/exploits/46384 http://packetstormsecurity.com/files/151704/MyBB-Trash-Bin-1.1.3-Cross-Site-Request-Forgery-Cross-Site-Scripting.html https://community.mybb.com/mods.php?action=view&pid=957 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2018-17128 – MyBB Visual Editor 1.8.18 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2018-17128
A Persistent XSS issue was discovered in the Visual Editor in MyBB before 1.8.19 via a Video MyCode. Se ha descubierto un problema de Cross-Site Scripting (XSS) persistente en Visual Editor en MyBB en versiones anteriores a la 1.8.19 mediante Video MyCode. MyBB Visual Editor versions 1.8.18 and below suffer from a cross site scripting vulnerability. • https://www.exploit-db.com/exploits/45449 https://blog.mybb.com/2018/09/11/mybb-1-8-19-released-security-maintenance-release • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •