CVE-2021-28968
https://notcve.org/view.php?id=CVE-2021-28968
An issue was discovered in PunBB before 1.4.6. An XSS vulnerability in the [email] BBcode tag allows (with authentication) injecting arbitrary JavaScript into any forum message. Se detectó un problema en PunBB versiones anteriores a 1.4.6. Una vulnerabilidad de tipo XSS en la etiqueta [email] BBcode permite (con autenticación) inyectar JavaScript arbitrario en cualquier mensaje del foro • https://punbb.informer.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2011-3371
https://notcve.org/view.php?id=CVE-2011-3371
Multiple cross-site scripting (XSS) vulnerabilities in include/functions.php in PunBB before 1.3.6 allow remote attackers to inject arbitrary web script or HTML via the (1) id, (2) form_sent, (3) csrf_token, (4) req_confirm, or (5) delete parameter to delete.php, the (6) id, (7) form_sent, (8) csrf_token, (9) req_message, or (10) submit parameter to edit.php, the (11) action, (12) form_sent, (13) csrf_token, (14) req_email, or (15) request_pass parameter to login.php, the (16) email, (17) form_sent, (18) redirect_url, (19) csrf_token, (20) req_subject, (21) req_message, or (22) submit parameter to misc.php, the (23) action, (24) id, (25) form_sent, (26) csrf_token, (27) req_old_password, (28) req_new_password1, (29) req_new_password2, or (30) update parameter to profile.php, or the (31) action, (32) form_sent, (33) csrf_token, (34) req_username, (35) req_password1, (36) req_password2, (37) req_email1, (38) timezone, or (39) register parameter to register.php. Varias vulnerabilidades de cross-site scripting (XSS) en include / functions.php en PunBB antes de v1.3.6 permite a atacantes remotos inyectar secuencias de comandos web o HTML a través de (1) id, (2) form_sent, (3) csrf_token, (4) req_confirm, or (5) delete parameter to delete.php, the (6) id, (7) form_sent, (8) csrf_token, (9) req_message, o (10) enviar parámetro a edit.php, la (11) acción, (12) form_sent, (13) csrf_token, (14) req_email, o (15) parámetro request_pass a login.php, el (16) correo electrónico, (17) form_sent, (18) REDIRECT_URL, (19) csrf_token, (20) req_subject, (21) req_message, o (22) enviar parámetro a misc.php, la acción (23), (24) id, (25) form_sent, (26) csrf_token, (27) req_old_password, (28) req_new_password1 , (29) de actualización req_new_password2, o (30) parámetro para profile.php, o la acción (31), (32) form_sent, (33) csrf_token, (34) req_username, (35) req_password1, (36) req_password2, (37) req_email1, (38) zona horaria, o (39) registro de parámetros para register.php. • http://archives.neohapsis.com/archives/fulldisclosure/2011-09/0193.html http://archives.neohapsis.com/archives/fulldisclosure/2011-09/0210.html http://archives.neohapsis.com/archives/fulldisclosure/2011-09/0272.html http://punbb.informer.com/forums/topic/24427/multiple-xss-vulnerabilities http://punbb.informer.com/forums/topic/24430/punbb-136 http://securitytracker.com/id?1026073 http://www.openwall.com/lists/oss-security/2011/09/18/1 http://www.openwall.com/lists/oss-security/2011/09/22 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2009-4894
https://notcve.org/view.php?id=CVE-2009-4894
Multiple cross-site scripting (XSS) vulnerabilities in profile.php in PunBB before 1.3.4 allow remote attackers to inject arbitrary web script or HTML via the (1) password or (2) e-mail. Múltiples secuencias de comandos en sitios cruzados (XSS) en profile.php en PunBB antes de v1.3.4 permite a atacantes remotos inyectar HTML o scripts web a través de (1) la contraseña o (2) el e-mail. • http://punbb.informer.com/forums/topic/21669/punbb-134 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2008-7241
https://notcve.org/view.php?id=CVE-2008-7241
Cross-site request forgery (CSRF) vulnerability in PunBB before 1.2.17 allows remote attackers to hijack the authentication of unspecified users for requests related to a logout, probably a forced logout. Vulnerabilidad de falsificación de petición en sitios cruzados (CSRF) en PunBB anterior a v1.2.17, permite a atacantes remotos secuestrar la autenticación de usuarios sin especificar para peticiones relacionadas con el cierre de sesión. Probablemente relacionado con el cierre forzoso de sesión. • http://osvdb.org/48685 http://punbb.informer.com/download/changelogs/1.2.16_to_1.2.17.txt • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2008-6308 – PunBB (Private Messaging System 1.2.x) - Multiple Local File Inclusions
https://notcve.org/view.php?id=CVE-2008-6308
Multiple directory traversal vulnerabilities in Private Messaging System (PMS) 1.2.3 and earlier for PunBB allow remote attackers to include and execute arbitrary files via a .. (dot dot) in the pun_user[language] parameter to (1) functions_navlinks.php, (2) header_new_messages.php, (3) profile_send.php, and (4) viewtopic_PM-link.php in include/pms/. Múltiples vulnerabilidades de salto de directorio en Private Messaging System (PMS) v1.2.3 y anteriores para PunBB que permite a los atacantes remotos incluir y ejecutar arbitrariamente archivo a través de ..(punto punto) en el parámetro pun_user[language] para (1) functions_navlinks.php, (2) header_new_messages.php, (3) profile_send.php, y (4) viewtopic_PM-link.php en include/pms/. • https://www.exploit-db.com/exploits/7159 http://secunia.com/advisories/13201 http://www.securityfocus.com/bid/32360 http://www.vupen.com/english/advisories/2008/3214 https://exchange.xforce.ibmcloud.com/vulnerabilities/46718 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •