CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2018-1000502
https://notcve.org/view.php?id=CVE-2018-1000502
MyBB Group MyBB contains a File Inclusion vulnerability in Admin panel (Tools and Maintenance -> Task Manager -> Add New Task) that can result in Allows Local File Inclusion on modern PHP versions and Remote File Inclusion on ancient PHP versions. This attack appear to be exploitable via Must have access to admin panel. This vulnerability appears to have been fixed in 1.8.15. MyBB Group MyBB contiene una vulnerabilidad de inclusión de archivos en el panel de administrador (Tools and Maintenance -> Task Manager -> Add New Task) que puede resultar en que se permita la inclusión de archivos locales en versiones modernas de PHP y la inclusión de archivos remota en versiones antiguas de PHP. Para explotar este ataque, el atacante debe tener acceso al panel de administración. • http://www.batterystapl.es/2018/03/local-file-inclusion-and-reading.html https://blog.mybb.com/2018/03/15/mybb-1-8-15-released-security-maintenance-release • CWE-829: Inclusion of Functionality from Untrusted Control Sphere •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2018-10678
https://notcve.org/view.php?id=CVE-2018-10678
MyBB 1.8.15, when accessed with Microsoft Edge, mishandles 'target="_blank" rel="noopener"' in A elements, which makes it easier for remote attackers to conduct redirection attacks. MyBB 1.8.15, cuando se accede a él mediante Microsoft Edge, gestiona de manera incorrecta 'target="_blank" rel="noopener"' en elementos A, lo que facilita que atacantes remotos lleven a cabo ataques de redirección. • https://github.com/hbranco/CVE-2018-10678 http://www.securityfocus.com/bid/104187 https://gist.github.com/MayurUdiniya/7aaa50b878d82b6aab6ed0b3e2b080bc • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 4.9EPSS: 0%CPEs: 1EXPL: 1CVE-2018-7305
https://notcve.org/view.php?id=CVE-2018-7305
MyBB 1.8.14 is not checking for a valid CSRF token, leading to arbitrary deletion of user accounts. MyBB 1.8.14 no comprueba un token CSRF válido, lo que conduce al borrado arbitrario de cuentas de usuario. • https://websecnerd.blogspot.in/2018/02/mybb-forum-1_21.html • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2018-6844
https://notcve.org/view.php?id=CVE-2018-6844
MyBB 1.8.14 has XSS via the Title or Description field on the Edit Forum screen. MyBB 1.8.14 tiene XSS mediante los campos Title o Description en la pantalla Edit Forum. • https://websecnerd.blogspot.com/2018/02/mybb-forum-1.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2017-16781 – MyBB 1.8.13 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2017-16781
The installer in MyBB before 1.8.13 has XSS. El instalador en MyBB en versiones anteriores a la 1.8.13 tiene Cross-Site Scripting (XSS). • https://www.exploit-db.com/exploits/43137 https://blog.mybb.com/2017/11/07/mybb-1-8-13-released-security-maintenance-release • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •