Lucene search

Mybb Security Vulnerabilities

cve

CVE-2019-12830

In MyBB before 1.8.21, an attacker can exploit a parsing flaw in the Private Message / Post renderer that leads to [video] BBCode persistent XSS to take over any forum account, aka a nested video MyCode issue.

8.7CVSS

8.2AI Score

0.001EPSS

2019-06-15 06:29 PM

134

cve

CVE-2019-12831

In MyBB before 1.8.21, an attacker can abuse a default behavior of MySQL on many systems (that leads to truncation of strings that are too long for a database column) to create a PHP shell in the cache directory of a targeted forum via a crafted XML import, as demonstrated by truncation of aaaaaaaa...

7.2CVSS

7.2AI Score

0.001EPSS

2019-06-15 06:29 PM

123

cve

CVE-2019-20225

MyBB before 1.8.22 allows an open redirect on login.

6.1CVSS

6.2AI Score

0.001EPSS

2020-01-02 03:15 PM

cve

CVE-2019-3578

MyBB 1.8.19 has XSS in the resetpassword function.

6.1CVSS

5.9AI Score

0.001EPSS

2019-06-06 07:29 PM

160

cve

CVE-2019-3579

MyBB 1.8.19 allows remote attackers to obtain sensitive information because it discloses the username upon receiving a password-reset request that lacks the code parameter.

5.3CVSS

5.5AI Score

0.002EPSS

2019-06-06 07:29 PM

146

cve

CVE-2020-15139

In MyBB before version 1.8.24, the custom MyCode (BBCode) for the visual editor doesn't escape input properly when rendering HTML, resulting in a DOM-based XSS vulnerability. The weakness can be exploited by pointing a victim to a page where the visual editor is active (e.g. as a post or Private Me...

8.8CVSS

5.9AI Score

0.001EPSS

2020-08-10 10:15 PM

cve

CVE-2020-19048

Cross Site Scripting (XSS) in MyBB v1.8.20 allows remote attackers to inject arbitrary web script or HTML via the "Title" field found in the "Add New Forum" page by doing an authenticated POST HTTP request to '/Upload/admin/index.php?module=forum-management&action=add'.

5.4CVSS

5.2AI Score

0.001EPSS

2021-08-31 02:15 PM

cve

CVE-2020-19049

Cross Site Scripting (XSS) in MyBB v1.8.20 allows remote attackers to inject arbitrary web script or HTML via the "Description" field found in the "Add New Forum" page by doing an authenticated POST HTTP request to '/Upload/admin/index.php?module=forum-management&action=add'.

5.4CVSS

5.2AI Score

0.001EPSS

2021-08-31 02:15 PM

cve

CVE-2020-22612

Installer RCE on settings file write in MyBB before 1.8.22.

9.8CVSS

9.4AI Score

0.002EPSS

2023-09-01 04:15 PM

cve

CVE-2021-27279

MyBB before 1.8.25 allows stored XSS via nested [email] tags with MyCode (aka BBCode).

5.4CVSS

5.1AI Score

0.001EPSS

2021-02-22 08:15 PM

cve

CVE-2021-27889

Cross-site Scripting (XSS) vulnerability in MyBB before 1.8.26 via Nested Auto URL when parsing messages.

6.1CVSS

6.6AI Score

0.004EPSS

2021-03-15 05:15 PM

113

cve

CVE-2021-27890

SQL Injection vulnerablity in MyBB before 1.8.26 via theme properties included in theme XML files.

8.8CVSS

9AI Score

0.002EPSS

2021-03-15 06:15 PM

cve

CVE-2021-27946

SQL Injection vulnerability in MyBB before 1.8.26 via poll vote count. (issue 1 of 3).

8.8CVSS

9AI Score

0.002EPSS

2021-03-15 06:15 PM

cve

CVE-2021-27947

SQL Injection vulnerability in MyBB before 1.8.26 via the Copy Forum feature in Forum Management. (issue 2 of 3).

7.2CVSS

7.8AI Score

0.001EPSS

2021-03-15 06:15 PM

cve

CVE-2021-27948

SQL Injection vulnerability in MyBB before 1.8.26 via User Groups. (issue 3 of 3).

7.2CVSS

7.8AI Score

0.001EPSS

2021-03-15 06:15 PM

cve

CVE-2021-27949

Cross-site Scripting vulnerability in MyBB before 1.8.26 via Custom moderator tools.

6.1CVSS

6.7AI Score

0.001EPSS

2021-03-15 06:15 PM

cve

CVE-2021-41866

MyBB before 1.8.28 allows stored XSS because the displayed Template Name value in the Admin CP's theme management is not escaped properly.

5.4CVSS

5.1AI Score

0.001EPSS

2021-10-26 10:15 PM

cve

CVE-2021-43281

MyBB before 1.8.29 allows Remote Code Injection by an admin with the "Can manage settings?" permission. The Admin CP's Settings management module does not validate setting types correctly on insertion and update, making it possible to add settings of supported type "php" with PHP code, executed on ...

7.2CVSS

7.4AI Score

0.002EPSS

2021-11-04 06:15 PM

cve

CVE-2022-24734

MyBB is a free and open source forum software. In affected versions the Admin CP's Settings management module does not validate setting types correctly on insertion and update, making it possible to add settings of supported type php with PHP code, executed on on Change Settings pages. This results...

7.2CVSS

7.1AI Score

0.257EPSS

2022-03-09 10:15 PM

cve

CVE-2022-28354

In the Active Threads Plugin 1.3.0 for MyBB, the activethreads.php date parameter is vulnerable to XSS when setting a time period.

6.1CVSS

6AI Score

0.001EPSS

2023-04-24 09:15 PM

cve

CVE-2022-39265

MyBB is a free and open source forum software. The Mail Settings → Additional Parameters for PHP's mail() function mail_parameters setting value, in connection with the configured mail program's options and behavior, may allow access to sensitive information and Remote Code Execution (RCE). The vul...

7.2CVSS

7.1AI Score

0.008EPSS

2022-10-06 06:16 PM

cve

CVE-2022-43707

MyBB 1.8.31 has a Cross-site scripting (XSS) vulnerability in the visual MyCode editor (SCEditor) allows remote attackers to inject HTML via user input or stored data

6.1CVSS

6AI Score

0.001EPSS

2022-11-22 12:15 AM

cve

CVE-2022-43708

MyBB 1.8.31 has a (issue 2 of 2) cross-site scripting (XSS) vulnerabilities in the post Attachments interface allow attackers to inject HTML by persuading the user to upload a file with specially crafted name

6.1CVSS

6AI Score

0.001EPSS

2022-11-22 12:15 AM

cve

CVE-2022-43709

MyBB 1.8.31 has a SQL injection vulnerability in the Admin CP's Users module allows remote authenticated users to modify the query string via direct user input or stored search filter settings.

4.9CVSS

5.3AI Score

0.001EPSS

2022-11-22 12:15 AM

cve

CVE-2022-45867

MyBB before 1.8.33 allows Directory Traversal. The Admin CP Languages module allows remote authenticated users, with high privileges, to achieve local file inclusion and execution.

7.2CVSS

6.7AI Score

0.002EPSS

2023-01-03 08:15 PM

cve

CVE-2023-28467

In MyBB before 1.8.34, there is XSS in the User CP module via the user email field.

6.1CVSS

5.9AI Score

0.001EPSS

2023-05-22 07:15 PM

cve

CVE-2023-41362

MyBB before 1.8.36 allows Code Injection by users with certain high privileges. Templates in Admin CP intentionally use eval, and there was some validation of the input to eval, but type juggling interfered with this when using PCRE within PHP.

7.2CVSS

7AI Score

0.002EPSS

2023-08-29 04:15 PM

cve

CVE-2023-45556

Cross Site Scripting vulnerability in Mybb Mybb Forums v.1.8.33 allows a local attacker to execute arbitrary code via the theme Name parameter in the theme management component.

5.4CVSS

5.8AI Score

0.0004EPSS

2023-11-06 10:15 PM

cve

CVE-2023-46251

MyBB is a free and open source forum software. Custom MyCode (BBCode) for the visual editor (SCEditor ) doesn't escape input properly when rendering HTML, resulting in a DOM-based XSS vulnerability. This weakness can be exploited by pointing a victim to a page where the visual editor is active (e.g...

7.5CVSS

6.1AI Score

0.001EPSS

2023-11-06 06:15 PM

cve

CVE-2024-23335

MyBB is a free and open source forum software. The backup management module of the Admin CP may accept .htaccess as the name of the backup file to be deleted, which may expose the stored backup files over HTTP on Apache servers. MyBB 1.8.38 resolves this issue. Users are advised to upgrade. There a...

4.7CVSS

4.8AI Score

0.0004EPSS

2024-05-01 07:15 AM

cve

CVE-2024-23336

MyBB is a free and open source forum software. The default list of disallowed remote hosts does not contain the 127.0.0.0/8 block, which may result in a Server-Side Request Forgery (SSRF) vulnerability. The Configuration File's Disallowed Remote Addresses list ($config['disallowed_remote_addresses'...

5CVSS

7AI Score

0.001EPSS

2024-05-01 07:15 AM

Total number of security vulnerabilities131