21 matches found
CVE-2005-2817
CVE-2005-2817 affects Simple Machines Forum (SMF) 1-0-5 and earlier. The issue arises from using URLs for avatar images, enabling a remote attacker to induce disclosure of sensitive visitor data (e.g., IP address, user agent) via a malicious avatar URL. The vulnerability is demonstrated via PHP o...
CVE-2008-6544
Concretely, CVE-2008-6544 affects Simple Machines Forum (SMF) 1.1.4. The vulnerability is described as PHP remote file inclusion via the settings[default_theme_dir] parameter to two endpoints: Sources/Subs-Graphics.php and Sources/Themes.php. The underlying issue involves allowing a URL to influe...
CVE-2008-6657
SMF 1.x is affected by a CSRF vulnerability in index.php. Versions 1.0 before 1.0.15 and 1.1 before 1.1.7 allow remote attackers to hijack admin authentication for install2 package requests. Impact is admin-level session hijack via crafted requests; exploitation requires no user interaction. The ...
CVE-2006-4467
The CVE-2006-4467 entry applies to Simple Machines Forum (SMF) 1.1RCx prior to 1.1RC3 and 1.0.x prior to 1.0.8. The issue is a variable-unsetting flaw where input data containing a numeric parameter with a value that matches an alphanumeric parameter’s hash value prevents SMF from unsetting the c...
CVE-2007-5646
SMF SQL injection (CVE-2007-5646) affects Simple Machines Forum (SMF) 1.1.3. The flaw is in Sources/Search.php where the vulnerable userspec parameter used in the search2 action to index.php is not sanitized, enabling arbitrary SQL execution when using MySQL 5.x. An unauthenticated or authenticat...
CVE-2005-4159
The CVE concerns Simple Machines Forum (SMF) prior to 1.1 rc1 (inclusive) with a potential SQL injection in Memberlist.php via the start parameter. The vendor disputes that it constitutes a true SQL injection, arguing only a single character can be modified, which may be an invalid SQL syntax err...
CVE-2008-6658
CVE-2008-6658 affects Simple Machines Forum (SMF): directory traversal in index.php allows remote authenticated administrators to install packages from arbitrary directories via package parameter during install2, affecting SMF 1.0.x prior to 1.0.15 and SMF 1.1.x prior to 1.1.7. Impact per descrip...
CVE-2006-5504
CVE-2006-5504 affects Simple Machines Forum (SMF). The vulnerability is a Cross-site Scripting (XSS) in index.php where an attacker can inject arbitrary web script or HTML by supplying a base64-encoded value in the action parameter. Impact is described as partial integrity impact on the target. T...
CVE-2007-3942
SMF 1.1.3 is affected by a directory traversal issue in index.php that could allow remote inclusion of local files via the sourcedir parameter or the actionArray hash. The root cause is unclear in some sources, as CVE notes that sourcedir and actionArray are defined before use and disputes exist ...
CVE-2008-6741
CVE-2008-6741 affects Simple Machines Forum (SMF) 1.1.4 and earlier. The vulnerability arises from an SQL injection in Load.php triggered by using a multibyte character set for db_character_set (e.g., big5), where addslashes can fail to quote single quotes, enabling remote SQL execution via a cra...
CVE-2007-3308
The CVE-2007-3308 entry concerns Simple Machines Forum (SMF) version 1.1.2, where the WAV file CAPTCHA is created by a concatenation method with insufficient randomization. This flaw allows remote attackers to bypass the CAPTCHA via automated brute-force attempts. The provided records indicate no...
CVE-2008-6659
CVE-2008-6659 affects Simple Machines Forum (SMF) 1.x before 1.1.7 (and 1.0 before 1.0.15). The flaw is a directory traversal in index.php via theme_dir in a jsoption action, tied to Sources/QueryString.php and Sources/Themes.php, enabling remote authenticated users to configure arbitrary local f...
CVE-2006-0896
The CVE-2006-0896 issue affects Simple Machines Forum (SMF) 1.0.6, specifically the Sources/Register.php script. The root cause is improper sanitization of the HTTP_X_FORWARDED_FOR header, enabling a remote attacker to inject arbitrary HTML or script via XSS. Documents indicate an exploit exists ...
CVE-2007-3309
The CVE-2007-3309 entry concerns Simple Machines Forum (SMF) 1.1.2, where a vulnerability enables remote attackers to execute arbitrary PHP code during (1) message creation or (2) message editing. The available sources identify the affected software/version and the code-execution risk but do not ...
CVE-2008-3072
CVE-2008-3072 affects Simple Machines Forum (SMF) versions 1.1.x prior to 1.1.5 and 1.0.x prior to 1.0.13 when running under PHP versions earlier than 4.2.0. The issue is that the random number generator is not seeded properly, with an impact that is currently described as unknown. The provided d...
CVE-2007-0399
SMF 1.1 RC3 exposes multiple XSS flaws in index.php during the PM “send” action. Infected input (recipient/BCC fields) can inject arbitrary script/HTML in the context of an authenticated user. Affected: Simple Machines Forum (SMF), version 1.1 RC3; vulnerability arises in the PM sending workflow....
CVE-2007-5943
CVE-2007-5943 affects Simple Machines Forum (SMF) 1.1.4. The issue allows remote attackers to read messages in private forums by abusing the advanced search module with the "show results as messages" option and searching for keywords contained in the target message. The NVD entry lists partial co...
CVE-2006-7013
CVE-2006-7013 affects Simple Machines Forum (SMF) versions 1.0.7 and earlier and 1.1rc2 and earlier. The issue lets remote attackers spoof the user IP and evade bans by manipulating the X-Forwarded-For header, which is treated as the IP source instead of more reliable sources. The root cause is r...
CVE-2008-3073
CVE-2008-3073 affects Simple Machines Forum (SMF) 1.1.x before 1.1.5 and 1.0.x before 1.0.13. Description indicates unknown impact and attack vectors, probably cross-site scripting (XSS) related to “use of the html-tag.” NVD CVSS2 base score 7.5 (HIGH) with network vector and low complexity; part...
CVE-2007-2546
CVE-2007-2546 affects Simple Machines Forum (SMF) versions up to 1.1.2. The vulnerability is a session fixation flaw that lets an attacker hijack a user’s web session by manipulating the PHPSESSID parameter. The connected documents corroborate the issue in SMF 1.1.2 and earlier, with related entr...
CVE-2006-5503
The provided data confirms a Cross-site scripting (XSS) vulnerability in Simple Machines Forum (SMF) 1.1 RC2 . The issue occurs in the file indicated by the description (likely index.php) where an attacker can inject arbitrary script/HTML via the action parameter , enabling remote script executio...