CVE-2014-1840

2014-03-0316:55:04

CWE-79

mitre

web.nvd.nist.gov

xss

mybb

vulnerability

web security

nvd

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

AI Score

6.3

Confidence

High

EPSS

0.002

Percentile

52.5%

JSON

Cross-site scripting (XSS) vulnerability in Upload/search.php in MyBB 1.6.12 and earlier allows remote attackers to inject arbitrary web script or HTML via the keywords parameter in a do_search action, which is not properly handled in a forced SQL error message.

Affected configurations

Nvd

Node

mybbmybbRange≤1.6.12

mybbmybbMatch1.6.0

mybbmybbMatch1.6.1

mybbmybbMatch1.6.2

mybbmybbMatch1.6.3

mybbmybbMatch1.6.4

mybbmybbMatch1.6.5

mybbmybbMatch1.6.6

mybbmybbMatch1.6.7

mybbmybbMatch1.6.8

mybbmybbMatch1.6.9

mybbmybbMatch1.6.10

mybbmybbMatch1.6.11

VendorProductVersionCPE
mybbmybb*cpe:2.3:a:mybb:mybb:*:*:*:*:*:*:*:*
mybbmybb1.6.0cpe:2.3:a:mybb:mybb:1.6.0:*:*:*:*:*:*:*
mybbmybb1.6.1cpe:2.3:a:mybb:mybb:1.6.1:*:*:*:*:*:*:*
mybbmybb1.6.2cpe:2.3:a:mybb:mybb:1.6.2:*:*:*:*:*:*:*
mybbmybb1.6.3cpe:2.3:a:mybb:mybb:1.6.3:*:*:*:*:*:*:*
mybbmybb1.6.4cpe:2.3:a:mybb:mybb:1.6.4:*:*:*:*:*:*:*
mybbmybb1.6.5cpe:2.3:a:mybb:mybb:1.6.5:*:*:*:*:*:*:*
mybbmybb1.6.6cpe:2.3:a:mybb:mybb:1.6.6:*:*:*:*:*:*:*
mybbmybb1.6.7cpe:2.3:a:mybb:mybb:1.6.7:*:*:*:*:*:*:*
mybbmybb1.6.8cpe:2.3:a:mybb:mybb:1.6.8:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
mybb	mybb	*	cpe:2.3:a:mybb:mybb::::::::
mybb	mybb	1.6.0	cpe:2.3:a:mybb:mybb:1.6.0:::::::*
mybb	mybb	1.6.1	cpe:2.3:a:mybb:mybb:1.6.1:::::::*
mybb	mybb	1.6.2	cpe:2.3:a:mybb:mybb:1.6.2:::::::*
mybb	mybb	1.6.3	cpe:2.3:a:mybb:mybb:1.6.3:::::::*
mybb	mybb	1.6.4	cpe:2.3:a:mybb:mybb:1.6.4:::::::*
mybb	mybb	1.6.5	cpe:2.3:a:mybb:mybb:1.6.5:::::::*
mybb	mybb	1.6.6	cpe:2.3:a:mybb:mybb:1.6.6:::::::*
mybb	mybb	1.6.7	cpe:2.3:a:mybb:mybb:1.6.7:::::::*
mybb	mybb	1.6.8	cpe:2.3:a:mybb:mybb:1.6.8:::::::*