20 matches found
CVE-2019-12490
SMF contains a reverse tabnabbing flaw (CVE-2019-12490) in which external links opened with _blank can enable credential theft when a user visits a crafted site. Affected: Simple Machines Forum before 2.0.16. Root cause: improper handling of external links (target="_blank"). Impact documented as ...
CVE-2022-26982
CVE-2022-26982 affects SimpleMachinesForum versions 2.1.1 and earlier. Affected scenario: remote authenticated administrators can execute arbitrary PHP code by inserting vulnerable PHP code through theme modification (e.g., via Admin.template.php) because themes can be altered by an administrator...
CVE-2025-2583
The CVE-2025-2583 entry concerns SimpleMachines SMF 2.1.4, with a cross-site scripting flaw in ManageNews.php triggered by manipulating the subject/message argument. Exploitation is described as possible remotely, and public PoCs are referenced, but the real existence of the vulnerability is expl...
CVE-2009-5068
The CVE concerns Simple Machines Forum (SMF) up to version 2.0.3. In some deployments, co-admins with access to the same SMF instance can read arbitrary files, including settings.php containing database passwords, enabling privilege escalation. No specific exploit details or mitigations are provi...
CVE-2025-2582
The CVE-2025-2582 entry describes a cross-site scripting vulnerability in Simple Machines Forum (SMF) version 2.1.4, affecting the ManageAttachments.php file. The vulnerability results from manipulation of the Notice argument, enabling XSS. It is reported as exploitable remotely and the exploit h...
CVE-2016-5726
CVE-2016-5726 affects SMF 2.1, where Packages.php is vulnerable to a PHP object injection via the themechanges array parameter, enabling remote code execution. The vulnerability stems from how user-supplied data within that parameter is processed, allowing an attacker to craft payloads that execu...
CVE-2018-10305
CVE-2018-10305 (SMF) affects Simple Machines Forum prior to 2.0.15. The root cause is the MessageSearch2 function in PersonalMessage.php not properly using the possible_users variable in a query, enabling a remote attacker to bypass intended access restrictions. Impact is a security bypass of acc...
CVE-2013-0192
CVE-2013-0192 affects Simple Machines Forum (SMF) up to version 2.0.3. The vulnerability is a file disclosure that enables a forum admin to read sensitive files, such as the database configuration, indicating insufficient access restrictions when handling file operations. The available sources (N...
CVE-2013-4465
The CVE-2013-4465 issue affects Simple Machines Forum (SMF) prior to versions 2.0.6 and 2.1, where the avatar upload functionality permits an unrestricted file upload. The root cause is that an uploaded file with an executable extension can be stored and later retrieved via a direct request to a ...
CVE-2013-7235
CVE-2013-7235 affects Simple Machines Forum (SMF) prior to 1.1.19 and SMF 2.x prior to 2.0.6. The vulnerability allows remote attackers to impersonate arbitrary users by exploiting multiple consecutive space characters in authentication-related input. The root cause appears to be improper handlin...
CVE-2013-7468
Affected software: Simple Machines Forum (SMF) 2.0.4. Vulnerability: PHP Code Injection via the dictionary parameter in the index.php?action=admin;area=languages;sa=editlang path. Root cause (as described): unsafely processed user-supplied dictionary parameter enables code execution. Impact (as s...
CVE-2013-7234
CVE-2013-7234 affects Simple Machines Forum (SMF). The vulnerability exists in SMF versions prior to 1.1.19 and prior to 2.0.6, where an improper handling of the page framing allows remote attackers to perform clickjacking via an X-Frame-Options header. The NVD entry lists this as a remote, heade...
CVE-2013-7467
CVE-2013-7467 : Concrete details across multiple sources show that Simple Machines Forum (SMF) 2.0.4 is vulnerable to a cross-site scripting (XSS) issue. The vulnerability is triggered by the parameter in index.php with action=pm;sa=settings;save sa, allowing injection of script that can affect u...
CVE-2024-7438
CVE-2024-7438 affects SimpleMachines SMF 2.1.4. The issue resides in the User Alert Read Status Handler, specifically the file /index.php?action=profile;u=2;area=showalerts;do=read. Manipulating the parameter aid leads to improper control of resource identifiers. The vulnerability is exploitable ...
CVE-2016-5727
CVE-2016-5727 affects Simple Machines Forum (SMF) 2.1. The vulnerability allows remote attackers to perform PHP object injection and execute arbitrary PHP code via vectors related to variables derived from user input in a foreach loop. The description indicates an input-derived injection in LogIn...
CVE-2013-4395
CVE-2013-4395 affects Simple Machines Forum (SMF) up to version 2.0.5, with a cross-site scripting (XSS) vulnerability. The connected records confirm the product and vulnerability class but do not provide technical details such as vulnerable components, exploit vectors, affected configurations, r...
CVE-2024-7437
Affected software: SimpleMachines SMF 2.1.4. Vulnerability exists in the Delete User Handler component: /index.php?action=profile;u=2;area=showalerts;do=remove, where manipulation of the aid argument leads to improper control of resource identifiers. It enables remote attack and has publicly disc...
CVE-2013-7236
CVE-2013-7236 affects Simple Machines Forum (SMF) versions 2.0.6, 1.1.19 and earlier. The root cause is a Unicode homoglyph character in a username that allows a remote attacker to impersonate arbitrary users. The public texts report this as a user-impersonation flaw without providing concrete ex...
CVE-2013-7466
CVE-2013-7466 affects Simple Machines Forum (SMF) 2.0.4. The issue is a local file inclusion vulnerability in install.php that can execute remote code via an ../ directory traversal in the db_type parameter if install.php remains after installation. This is documented to enable remote code execut...
CVE-2025-67163
CVE-2025-67163 affects Simple Machines Forum (SMF) v2.1.6 (and SMF