CVE-2019-13974

LayerBB 1.1.3 allows conversations.php/cmd/new CSRF...

Sql injection

LayerBB 1.1.3 allows XSS via the application/commands/new.php pmtitle variable, a related issue to CVE-2019-17997...

Cross site request forgery (csrf)

LayerBB 1.1.3 allows conversations.php/cmd/new CSRF...

Default credentials

LayerBB 1.1.3 allows admin/general.php arbitrary file upload because the customlogo filename suffix is not restricted, and .php may be used...

CVE-2019-13974

CVE-2019-13974 affects LayerBB 1.1.3 and is a Cross‑Site Request Forgery in conversations.php/cmd/new. The vulnerability stems from insufficient validation of requests from trusted users. CVSS metrics indicate CVSSv3 base score 8.8 (HIGH) with network attack vector, low complexity, no privileges ...

CVE-2019-13974

LayerBB 1.1.3 allows conversations.php/cmd/new CSRF...

CVE-2019-13973

LayerBB 1.1.3 allows admin/general.php arbitrary file upload because the customlogo filename suffix is not restricted, and .php may be used...

CVE-2019-13973

CVE-2019-13973 affects LayerBB 1.1.3, where the admin/general.php arbitrary file upload is possible because the custom_logo filename suffix is not restricted, allowing a ".php" file. The vulnerability stems from insufficient validation of uploaded logo names, enabling potential remote code execut...

CVE-2019-13972

LayerBB 1.1.3 contains an XSS vulnerability in the pm_title parameter of application/commands/new.php (CVE-2019-13972). The issue is caused by insufficient input validation, enabling cross-site scripting and potentially exposing client-side data. This CVE is related to CVE-2019-17997. Publicly pr...

CVE-2019-13972

LayerBB 1.1.3 allows XSS via the application/commands/new.php pmtitle variable, a related issue to CVE-2019-17997...

CVE-2018-17996

LayerBB before 1.1.3 allows CSRF for adding a user via admin/newuser.php, deleting a user via admin/members.php/deleteuser/, and deleting content via mod/delete.php/...

CVE-2018-17997

LayerBB 1.1.1 allows XSS via the titles of conversations PMs...

CVE-2018-17996

LayerBB before 1.1.3 allows CSRF for adding a user via admin/newuser.php, deleting a user via admin/members.php/deleteuser/, and deleting content via mod/delete.php/...

CVE-2018-17997

LayerBB 1.1.1 allows XSS via the titles of conversations PMs...

Design/Logic Flaw

LayerBB 1.1.1 allows XSS via the titles of conversations PMs...

Cross site request forgery (csrf)

LayerBB before 1.1.3 allows CSRF for adding a user via admin/newuser.php, deleting a user via admin/members.php/deleteuser/, and deleting content via mod/delete.php/...

CVE-2018-17997

LayerBB 1.1.1 contains a Cross‑Site Scripting (XSS) vulnerability in the titles of conversations (PMs). The underlying issue is improper handling of input in conversation titles, enabling an attacker to inject scripts that may execute in a victim’s browser. Reports across multiple sources (NVD/Re...

CVE-2018-17997

LayerBB 1.1.1 allows XSS via the titles of conversations PMs...

CVE-2018-17996

LayerBB before 1.1.3 allows CSRF for adding a user via admin/newuser.php, deleting a user via admin/members.php/deleteuser/, and deleting content via mod/delete.php/...

CVE-2018-17996

CVE-2018-17996 affects LayerBB versions up to 1.1.2; CSRF allows adding an admin user via admin/new_user.php, deleting a user via admin/members.php/delete_user/, and deleting content via mod/delete.php/. Root cause is CSRF vulnerability; vulnerable until 1.1.2, fixed in 1.1.3. References include ...