252 matches found
CVE-2023-46251
MyBB is a free and open source forum software. Custom MyCode BBCode for the visual editor SCEditor doesn't escape input properly when rendering HTML, resulting in a DOM-based XSS vulnerability. This weakness can be exploited by pointing a victim to a page where the visual editor is active e.g. as...
Design/Logic Flaw
MyBB is a free and open source forum software. Custom MyCode BBCode for the visual editor SCEditor doesn't escape input properly when rendering HTML, resulting in a DOM-based XSS vulnerability. This weakness can be exploited by pointing a victim to a page where the visual editor is active e.g. as...
CVE-2023-46251 Visual editor persistent Cross-site Scripting (XSS) in MyBB
MyBB is a free and open source forum software. Custom MyCode BBCode for the visual editor SCEditor doesn't escape input properly when rendering HTML, resulting in a DOM-based XSS vulnerability. This weakness can be exploited by pointing a victim to a page where the visual editor is active e.g. as...
CVE-2023-46251
Summary: CVE-2023-46251 is a DOM-based XSS vulnerability in MyBB’s visual editor (SCEditor) caused by improper escaping of input in custom MyCode. This can be triggered when a victim loads a page with a pre-filled or crafted MyCode message (e.g., posts or private messages). The issue can affect p...
CVE-2023-46251 Visual editor persistent Cross-site Scripting (XSS) in MyBB
MyBB is a free and open source forum software. Custom MyCode BBCode for the visual editor SCEditor doesn't escape input properly when rendering HTML, resulting in a DOM-based XSS vulnerability. This weakness can be exploited by pointing a victim to a page where the visual editor is active e.g. as...
CVE-2023-46251 Visual editor persistent Cross-site Scripting (XSS) in MyBB
MyBB is a free and open source forum software. Custom MyCode BBCode for the visual editor SCEditor doesn't escape input properly when rendering HTML, resulting in a DOM-based XSS vulnerability. This weakness can be exploited by pointing a victim to a page where the visual editor is active e.g. as...
Remote code execution
A remote code execution RCE vulnerability in the xmlrpc.php endpoint of NodeBB Inc NodeBB forum software prior to v1.18.6 allows attackers to execute arbitrary code via crafted XML-RPC requests...
The vulnerability of the Admin CP configuration module of the MyBB forum creation software allows a hacker to execute arbitrary code.
The vulnerability of the Admin CP module for the MyBB forum creation software is related to improper code generation during template processing. Exploiting this vulnerability allows a remote attacker to execute arbitrary code...
CVE-2023-40033
Flarum is an open source forum software. Flarum is affected by a vulnerability that allows an attacker to conduct a Blind Server-Side Request Forgery SSRF attack or disclose any file on the server, even with a basic user account on any Flarum forum. By uploading a file containing a URL and spoofi...
CVE-2023-40033
CVE-2023-40033 affects Flarum (forum software). The root cause is the intervention/image package interpreting uploaded file contents as a URL, enabling a blind SSRF attack and disclosure of server files when a user uploads a URL-laden file with a spoofed MIME type. Exploitation leads to SSRF, loc...
Path traversal
NodeBB is Node.js based forum software. Starting in version 2.5.0 and prior to version 2.8.7, due to the use of the object destructuring assignment syntax in the user export code path, combined with a path traversal vulnerability, a specially crafted payload could invoke the user export logic to...
CVE-2023-26045
CVE-2023-26045 affects NodeBB up to 2.8.7, where a path traversal in the user export path (due to object destructuring) could be triggered by a specially crafted payload to arbitrarily execute local JavaScript. Affected range: 2.5.0 through
CVE-2023-26045 NodeBB vulnerable to path traversal and code execution via prototype vulnerability
NodeBB is Node.js based forum software. Starting in version 2.5.0 and prior to version 2.8.7, due to the use of the object destructuring assignment syntax in the user export code path, combined with a path traversal vulnerability, a specially crafted payload could invoke the user export logic to...
CVE-2023-26045 NodeBB vulnerable to path traversal and code execution via prototype vulnerability
NodeBB is Node.js based forum software. Starting in version 2.5.0 and prior to version 2.8.7, due to the use of the object destructuring assignment syntax in the user export code path, combined with a path traversal vulnerability, a specially crafted payload could invoke the user export logic to...
CVE-2023-27577
flarum is a forum software package for building communities. In versions prior to 1.7.0 an admin account which has already been compromised by an attacker may use a vulnerability in the LESS parser which can be exploited to read sensitive files on the server through the use of path traversal...
Path traversal
flarum is a forum software package for building communities. In versions prior to 1.7.0 an admin account which has already been compromised by an attacker may use a vulnerability in the LESS parser which can be exploited to read sensitive files on the server through the use of path traversal...
CVE-2023-22488
Flarum is a forum software for building communities. Using the notifications feature, one can read restricted/private content and bypass access checks that would be in place for such content. The notification-sending component does not check that the subject of the notification can be seen by the...
Design/Logic Flaw
Flarum is a forum software for building communities. Using the notifications feature, one can read restricted/private content and bypass access checks that would be in place for such content. The notification-sending component does not check that the subject of the notification can be seen by the...
CVE-2023-22488
CVE-2023-22488 affects Flarum core notification logic. The vulnerability stems from the notification-sending flow not validating that the notification subject is visible to the recipient, enabling reading of restricted/private content via subscriptions. Impact includes leakage of posts (including...
Design/Logic Flaw
Flarum is a forum software for building communities. Using the mentions feature provided by the flarum/mentions extension, users can mention any post ID on the forum with the special @""p syntax. The following behavior never changes no matter if the actor should be able to read the mentioned post...