CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 1CVE-2024-7438 – SimpleMachines SMF User Alert Read Status index.php resource injection
https://notcve.org/view.php?id=CVE-2024-7438
A vulnerability has been found in SimpleMachines SMF 2.1.4 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /index.php?action=profile;u=2;area=showalerts;do=read of the component User Alert Read Status Handler. The manipulation of the argument aid leads to improper control of resource identifiers. The attack can be launched remotely. • https://github.com/Fewword/Poc/blob/main/smf/smf-poc2.md https://vuldb.com/?ctiid.273523 https://vuldb.com/?id.273523 https://vuldb.com/?submit.380190 • CWE-99: Improper Control of Resource Identifiers ('Resource Injection') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2024-7437 – SimpleMachines SMF Delete User index.php resource injection
https://notcve.org/view.php?id=CVE-2024-7437
A vulnerability, which was classified as critical, was found in SimpleMachines SMF 2.1.4. Affected is an unknown function of the file /index.php?action=profile;u=2;area=showalerts;do=remove of the component Delete User Handler. The manipulation of the argument aid leads to improper control of resource identifiers. It is possible to launch the attack remotely. • https://github.com/Fewword/Poc/blob/main/smf/smf-poc1.md https://vuldb.com/?ctiid.273522 https://vuldb.com/?id.273522 https://vuldb.com/?submit.380189 • CWE-99: Improper Control of Resource Identifiers ('Resource Injection') •
CVSS: 6.8EPSS: 0%CPEs: 13EXPL: 0CVE-2011-4173
https://notcve.org/view.php?id=CVE-2011-4173
Cross-site request forgery (CSRF) vulnerability in Simple Machines Forum (SMF) 2.x before 2.0.1 allows remote attackers to hijack the authentication of administrators or moderators via vectors involving image files, a different vulnerability than CVE-2011-3615. NOTE: some of these details are obtained from third party information. Vulnerabilidad de falsificación de petición en sitios cruzados (CSRF)en Simple Machines Forum (SMF) v2.x anterior a v2.0.1 permite a atacantes remotos secuestrar la autenticación de administradores o moderadores a través de vectores que envuelven ficheros con imágenes, una vulnerabilidad diferente que CVE-2011-3615. NOTA: algunos de estos detalles han sido obtenidos de terceras partes de información. • http://openwall.com/lists/oss-security/2011/10/09/3 http://openwall.com/lists/oss-security/2011/10/10/6 http://secunia.com/advisories/46386 http://www.simplemachines.org/community/index.php?topic=452888.0 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.5EPSS: 0%CPEs: 62EXPL: 0CVE-2011-3615
https://notcve.org/view.php?id=CVE-2011-3615
Multiple SQL injection vulnerabilities in Simple Machines Forum (SMF) before 1.1.15 and 2.x before 2.0.1 allow remote attackers to execute arbitrary SQL commands via vectors involving a (1) HTML entity or (2) display name. NOTE: some of these details are obtained from third party information. Multiples vulnerabilidades de inyección SQL en Simple Machines Forum (SMF) anterios a v1.1.15 y v2.x anteriores a 2.0.1 que permiten a atacantes remotos ejecutar comandos SQL de su elección a traves de vectores que incluyen una (1) entidad HTML o (2) muestran nombre. NOTA: algunos de estos detalles han sido obtenidos a partir de la información de terceros. • http://openwall.com/lists/oss-security/2011/10/09/3 http://openwall.com/lists/oss-security/2011/10/10/6 http://secunia.com/advisories/46386 http://www.simplemachines.org/community/index.php?topic=452888.0 https://exchange.xforce.ibmcloud.com/vulnerabilities/70617 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.5EPSS: 0%CPEs: 57EXPL: 0CVE-2011-1130
https://notcve.org/view.php?id=CVE-2011-1130
Simple Machines Forum (SMF) before 1.1.13, and 2.x before 2.0 RC5, does not properly validate the start parameter, which might allow remote attackers to conduct SQL injection attacks, obtain sensitive information, or cause a denial of service via a crafted value, related to the cleanRequest function in QueryString.php and the constructPageIndex function in Subs.php. Simple Machines Forum (SMF ) antes de v1.1.13, y v2.x antes de v2.0 RC5, no valida correctamente los parámetros de inicio, lo que podría permitir a atacantes remotos realizar ataques de inyección SQL, obtener información sensible o causar una denegación de servicio a través de un valor creado, en relación con la función cleanRequest en QueryString.php y la función constructPageIndex en Subs.php. • http://custom.simplemachines.org/mods/downloads/smf_patch_2.0-RC4_security.zip http://www.openwall.com/lists/oss-security/2011/02/22/17 http://www.openwall.com/lists/oss-security/2011/03/02/4 http://www.simplemachines.org/community/index.php?topic=421547.0 • CWE-20: Improper Input Validation •