CVE-2009-4449
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
2Exploited in Wild
-Decision
Descriptions
Directory traversal vulnerability in MyBB (aka MyBulletinBoard) 1.4.10, and possibly earlier versions, when changing the user avatar from the gallery, allows remote authenticated users to determine the existence of files via directory traversal sequences in the avatar and possibly the gallery parameters, related to (1) admin/modules/user/users.php and (2) usercp.php.
Vulnerabilidad de salto de directorio en MyBB (MyBulletinBoard) v1.4.10, y posiblemente versiones anteriores. Cuando se cambia el avatar de usuario desde la galería, permite a usuarios remotos autenticados determinar la existencia de ficheros a través de secuencias de salto de directorio en el avatar y posiblemente los parámetros de la galería. Relacionado con (1) admin/modules/user/users.php y (2) usercp.php.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2009-12-29 CVE Reserved
- 2009-12-29 CVE Published
- 2024-02-16 EPSS Updated
- 2024-08-07 CVE Updated
- 2024-08-07 First Exploit
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CAPEC
References (10)
| URL | Tag | Source |
|---|---|---|
| http://blog.mybboard.net/2009/12/29/mybb-1-4-11-released-minor-patch-security-update | Release Notes | |
| http://dev.mybboard.net/issues/617 | Broken Link | |
| http://openwall.com/lists/oss-security/2010/10/08/7 | Mailing List | |
| http://openwall.com/lists/oss-security/2010/10/11/8 | Mailing List | |
| http://openwall.com/lists/oss-security/2010/12/06/2 | Mailing List | |
| http://osvdb.org/61359 | Broken Link | |
| http://www.securityfocus.com/bid/37489 | Broken Link |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| http://secunia.com/advisories/37906 | 2024-01-26 |