Mybb

MyBB is free and open source forum software. Prior to version 1.8.39, the search component does not validate permissions correctly, which allows attackers to determine the existence of hidden (draft, unapproved, or soft-deleted) threads containing specified text in the title. The visibility state (`mybb_threads.visible` integer column) of threads is not validated in internal search queries, whose result is used to output a general success or failure of the search. While MyBB validates permissions when displaying the final search results, a search operation that internally produces at least one result outputs a redirect response (as a HTTP redirect, or a success message page with delayed redirect, depending on configuration). On the other hand, a search operation that internally produces no results outputs a corresponding message in the response without a redirect. This allows a user to determine whether threads matching title search parameters exist, including draft threads (`visible` with a value of `-2`), soft-deleted threads (`visible` with a value of `-1`), and unapproved threads (`visible` with a value of `0`); in addition to displaying generally visible threads (`visible` with a value of `1`). This vulnerability does not affect other layers of permissions. In order to exploit the vulnerability, the user must have access to the search functionality, and general access to forums containing the thread(s). The vulnerability does not expose the message content of posts. MyBB 1.8.39 resolves this issue.

Published: 2025-06-02T15:58:49.498Z
Updated: 2025-06-02T16:07:10.790Z

MyBB is free and open source forum software. Prior to version 1.8.39, the upgrade component does not validate user input properly, which allows attackers to perform local file inclusion (LFI) via a specially crafted parameter value. In order to exploit the vulnerability, the installer must be unlocked (no `install/lock` file present) and the upgrade script must be accessible (by re-installing the forum via access to `install/index.php`; when the forum has not yet been installed; or the attacker is authenticated as a forum administrator). MyBB 1.8.39 resolves this issue.

Published: 2025-06-02T15:52:36.740Z
Updated: 2025-06-02T16:06:00.967Z

MyBB is a free and open source forum software. The default list of disallowed remote hosts does not contain the `127.0.0.0/8` block, which may result in a Server-Side Request Forgery (SSRF) vulnerability. The Configuration File's _Disallowed Remote Addresses_ list (`$config['disallowed_remote_addresses']`) contains the address `127.0.0.1`, but does not include the complete block `127.0.0.0/8`. MyBB 1.8.38 resolves this issue in default installations. Administrators of installed boards should update the existing configuration (`inc/config.php`) to include all addresses blocked by default. Additionally, users are advised to verify that it includes any other IPv4 addresses resolving to the server and other internal resources. Users unable to upgrade may manually add 127.0.0.0/8' to their disallowed address list.

Published: 2024-05-01T06:27:37.987Z
Updated: 2024-08-01T22:59:32.176Z

MyBB is a free and open source forum software. The backup management module of the Admin CP may accept `.htaccess` as the name of the backup file to be deleted, which may expose the stored backup files over HTTP on Apache servers. MyBB 1.8.38 resolves this issue. Users are advised to upgrade. There are no known workarounds for this vulnerability

Published: 2024-05-01T06:27:42.162Z
Updated: 2024-08-01T22:59:32.211Z

MyBB 1.8.32 contains a chained vulnerability that allows authenticated administrators to bypass avatar upload restrictions and execute arbitrary code. Attackers can modify upload path settings, upload a malicious PHP-embedded image file, and execute commands through the language configuration editing interface.

Published: 2025-12-22T21:35:35.951Z
Updated: 2026-03-05T12:03:23.604Z

MyBB is a free and open source forum software. Custom MyCode (BBCode) for the visual editor (_SCEditor_) doesn't escape input properly when rendering HTML, resulting in a DOM-based XSS vulnerability. This weakness can be exploited by pointing a victim to a page where the visual editor is active (e.g. as a post or Private Message) and operates on a maliciously crafted MyCode message. This may occur on pages where message content is pre-filled using a GET/POST parameter, or on reply pages where a previously saved malicious message is quoted. The impact is be mitigated when: 1. the visual editor is disabled globally (_Admin CP → Configuration → Settings → Clickable Smilies and BB Code: [Clickable MyCode Editor](https://github.com/mybb/mybb/blob/mybb_1836/install/resources/settings.xml#L2087-L2094)_ is set to _Off_), or 2. the visual editor is disabled for individual user accounts (_User CP → Your Profile → Edit Options_: _Show the MyCode formatting options on the posting pages_ checkbox is not checked). MyBB 1.8.37 resolves this issue with the commit `6dcaf0b4d`. Users are advised to upgrade. Users unable to upgrade may mitigate the impact without upgrading MyBB by changing the following setting (_Admin CP → Configuration → Settings_): - _Clickable Smilies and BB Code → [Clickable MyCode Editor](https://github.com/mybb/mybb/blob/mybb_1836/install/resources/settings.xml#L2087-L2094)_: _Off_. Similarly, individual MyBB forum users are able to disable the visual editor by diabling the account option (_User CP → Your Profile → Edit Options_) _Show the MyCode formatting options on the posting pages_.

Published: 2023-11-06T17:41:30.378Z
Updated: 2024-09-04T19:32:41.984Z

Cross Site Scripting vulnerability in Mybb Mybb Forums v.1.8.33 allows a local attacker to execute arbitrary code via the theme Name parameter in the theme management component.

Published: 2023-11-06T00:00:00.000Z
Updated: 2024-09-05T14:16:56.909Z

MyBB before 1.8.36 allows Code Injection by users with certain high privileges. Templates in Admin CP intentionally use eval, and there was some validation of the input to eval, but type juggling interfered with this when using PCRE within PHP.

Published: 2023-08-29T00:00:00.000Z
Updated: 2024-10-01T20:41:29.859Z

In MyBB before 1.8.34, there is XSS in the User CP module via the user email field.

Published: 2023-05-22T00:00:00.000Z
Updated: 2025-01-21T15:26:10.149Z

MyBB before 1.8.33 allows Directory Traversal. The Admin CP Languages module allows remote authenticated users, with high privileges, to achieve local file inclusion and execution.

Published: 2023-01-03T00:00:00.000Z
Updated: 2025-04-10T15:24:04.427Z

MyBB 1.8.31 has a SQL injection vulnerability in the Admin CP's Users module allows remote authenticated users to modify the query string via direct user input or stored search filter settings.

Published: 2022-11-21T00:00:00.000Z
Updated: 2025-04-29T14:12:48.349Z

MyBB 1.8.31 has a (issue 2 of 2) cross-site scripting (XSS) vulnerabilities in the post Attachments interface allow attackers to inject HTML by persuading the user to upload a file with specially crafted name

Published: 2022-11-21T00:00:00.000Z
Updated: 2025-04-29T14:15:07.099Z

MyBB 1.8.31 has a Cross-site scripting (XSS) vulnerability in the visual MyCode editor (SCEditor) allows remote attackers to inject HTML via user input or stored data

Published: 2022-11-21T00:00:00.000Z
Updated: 2025-04-29T14:16:33.815Z

MyBB is a free and open source forum software. The _Mail Settings_ → Additional Parameters for PHP's mail() function mail_parameters setting value, in connection with the configured mail program's options and behavior, may allow access to sensitive information and Remote Code Execution (RCE). The vulnerable module requires Admin CP access with the `_Can manage settings?_` permission and may depend on configured file permissions. MyBB 1.8.31 resolves this issue with the commit `0cd318136a`. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Published: 2022-10-06T00:00:00.000Z
Updated: 2025-04-22T17:19:51.525Z

MyBB is a free and open source forum software. In affected versions the Admin CP's Settings management module does not validate setting types correctly on insertion and update, making it possible to add settings of supported type `php` with PHP code, executed on on _Change Settings_ pages. This results in a Remote Code Execution (RCE) vulnerability. The vulnerable module requires Admin CP access with the `Can manage settings?` permission. MyBB's Settings module, which allows administrators to add, edit, and delete non-default settings, stores setting data in an options code string ($options_code; mybb_settings.optionscode database column) that identifies the setting type and its options, separated by a new line character (\n). In MyBB 1.2.0, support for setting type php was added, for which the remaining part of the options code is PHP code executed on Change Settings pages (reserved for plugins and internal use). MyBB 1.8.30 resolves this issue. There are no known workarounds.

Published: 2022-03-09T21:25:08.000Z
Updated: 2025-04-22T18:19:20.055Z

MyBB before 1.8.29 allows Remote Code Injection by an admin with the "Can manage settings?" permission. The Admin CP's Settings management module does not validate setting types correctly on insertion and update, making it possible to add settings of supported type "php" with PHP code, executed on Change Settings pages.

Published: 2021-11-04T17:42:34.000Z
Updated: 2024-08-04T03:55:28.469Z

MyBB before 1.8.28 allows stored XSS because the displayed Template Name value in the Admin CP's theme management is not escaped properly.

Published: 2021-10-26T21:25:47.000Z
Updated: 2024-08-04T03:22:25.530Z

Cross-site Scripting vulnerability in MyBB before 1.8.26 via Custom moderator tools.

Published: 2021-03-15T17:19:11.000Z
Updated: 2024-08-03T21:33:17.251Z

SQL Injection vulnerability in MyBB before 1.8.26 via User Groups. (issue 3 of 3).

Published: 2021-03-15T17:13:33.000Z
Updated: 2024-08-03T21:33:17.242Z

SQL Injection vulnerability in MyBB before 1.8.26 via the Copy Forum feature in Forum Management. (issue 2 of 3).

Published: 2021-03-15T17:10:33.000Z
Updated: 2024-08-03T21:33:16.403Z

SQL Injection vulnerability in MyBB before 1.8.26 via poll vote count. (issue 1 of 3).

Published: 2021-03-15T17:08:09.000Z
Updated: 2024-08-03T21:33:17.343Z

SQL Injection vulnerablity in MyBB before 1.8.26 via theme properties included in theme XML files.

Published: 2021-03-15T17:04:13.000Z
Updated: 2024-08-03T21:33:16.401Z

Cross-site Scripting (XSS) vulnerability in MyBB before 1.8.26 via Nested Auto URL when parsing messages.

Published: 2021-03-15T16:57:02.000Z
Updated: 2024-08-03T21:33:17.199Z

MyBB before 1.8.25 allows stored XSS via nested [email] tags with MyCode (aka BBCode).

Published: 2021-02-22T19:04:20.000Z
Updated: 2024-08-03T20:48:16.072Z

Installer RCE on settings file write in MyBB before 1.8.22.

Published: 2023-09-01T00:00:00.000Z
Updated: 2024-10-01T16:51:57.449Z

In MyBB before version 1.8.24, the custom MyCode (BBCode) for the visual editor doesn't escape input properly when rendering HTML, resulting in a DOM-based XSS vulnerability. The weakness can be exploited by pointing a victim to a page where the visual editor is active (e.g. as a post or Private Message) and operates on a maliciously crafted MyCode message. This may occur on pages where message content is pre-filled using a GET/POST parameter, or on reply pages where a previously saved malicious message is quoted. After upgrading MyBB to 1.8.24, make sure to update the version attribute in the `codebuttons` template for non-default themes to serve the latest version of the patched `jscripts/bbcodes_sceditor.js` file.

Published: 2020-08-10T21:35:13.000Z
Updated: 2024-08-04T13:08:22.286Z

MyBB before 1.8.22 allows an open redirect on login.

Published: 2020-01-02T14:02:26.000Z
Updated: 2024-08-05T02:39:09.790Z

In MyBB before 1.8.21, an attacker can abuse a default behavior of MySQL on many systems (that leads to truncation of strings that are too long for a database column) to create a PHP shell in the cache directory of a targeted forum via a crafted XML import, as demonstrated by truncation of aaaaaaaaaaaaaaaaaaaaaaaaaa.php.css to aaaaaaaaaaaaaaaaaaaaaaaaaa.php with a 30-character limit, aka theme import stylesheet name RCE.

Published: 2019-06-15T17:05:08.000Z
Updated: 2024-08-04T23:32:55.221Z

In MyBB before 1.8.21, an attacker can exploit a parsing flaw in the Private Message / Post renderer that leads to [video] BBCode persistent XSS to take over any forum account, aka a nested video MyCode issue.

Published: 2019-06-15T17:04:50.000Z
Updated: 2024-08-04T23:32:55.480Z

A reflected XSS vulnerability in index.php in MyBB 1.8.x through 1.8.19 allows remote attackers to inject JavaScript via the 'upsetting[bburl]' parameter.

Published: 2019-04-11T20:00:10.000Z
Updated: 2024-08-05T11:30:04.217Z

A reflected XSS vulnerability in the ModCP Profile Editor in MyBB before 1.8.20 allows remote attackers to inject JavaScript via the 'username' parameter.

Published: 2019-03-29T18:58:41.000Z
Updated: 2024-08-05T11:30:04.028Z

A Persistent XSS issue was discovered in the Visual Editor in MyBB before 1.8.19 via a Video MyCode.

Published: 2018-09-17T04:00:00.000Z
Updated: 2024-08-05T10:39:59.703Z

MyBB Group MyBB contains a Incorrect Access Control vulnerability in Private forums that can result in Users can view posts from private forums without having the password. This attack appear to be exploitable via Subscribe to a forum through IDOR. This vulnerability appears to have been fixed in 1.8.15.

Published: 2018-06-26T16:00:00.000Z
Updated: 2024-08-05T12:40:47.100Z

MyBB Group MyBB contains a File Inclusion vulnerability in Admin panel (Tools and Maintenance -> Task Manager -> Add New Task) that can result in Allows Local File Inclusion on modern PHP versions and Remote File Inclusion on ancient PHP versions. This attack appear to be exploitable via Must have access to admin panel. This vulnerability appears to have been fixed in 1.8.15.

Published: 2018-06-26T16:00:00.000Z
Updated: 2024-08-05T12:40:47.006Z

In MyBB before 1.8.11, the smilie module allows Directory Traversal via the pathfolder parameter.

Published: 2017-04-24T18:00:00.000Z
Updated: 2024-08-05T16:27:22.549Z

In MyBB before 1.8.11, the Email MyCode component allows XSS, as demonstrated by an onmouseover event.

Published: 2017-04-24T18:00:00.000Z
Updated: 2024-09-16T18:29:44.703Z

MyBB before 1.8.11 allows remote attackers to bypass an SSRF protection mechanism.

Published: 2017-04-06T16:00:00.000Z
Updated: 2024-08-05T16:04:12.021Z

The installer in MyBB before 1.8.13 has XSS.

Published: 2017-11-10T23:00:00.000Z
Updated: 2024-08-05T20:35:21.217Z

The installer in MyBB before 1.8.13 allows remote attackers to execute arbitrary code by writing to the configuration file.

Published: 2017-11-10T23:00:00.000Z
Updated: 2024-08-05T20:35:20.955Z

Cross-site scripting (XSS) vulnerability in the Users module in the Admin control panel in MyBB (aka MyBulletinBoard) before 1.8.8 and MyBB Merge System before 1.8.8 might allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Published: 2017-01-31T22:00:00.000Z
Updated: 2024-08-06T02:50:38.427Z

MyBB (aka MyBulletinBoard) before 1.8.8 and MyBB Merge System before 1.8.8 allow remote attackers to have unspecified impact via vectors related to "loose comparison false positives."

Published: 2017-01-31T22:00:00.000Z
Updated: 2024-08-06T02:50:38.327Z

Cross-site scripting (XSS) vulnerability in the Admin control panel in MyBB (aka MyBulletinBoard) before 1.8.8 and MyBB Merge System before 1.8.8 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Published: 2017-01-31T22:00:00.000Z
Updated: 2024-08-06T02:50:38.340Z

MyBB (aka MyBulletinBoard) before 1.8.8 on Windows and MyBB Merge System before 1.8.8 on Windows might allow remote attackers to obtain sensitive information from ACP backups via vectors involving a short name.

Published: 2017-01-31T22:00:00.000Z
Updated: 2024-08-06T02:50:38.333Z

The fetch_remote_file function in MyBB (aka MyBulletinBoard) before 1.8.8 and MyBB Merge System before 1.8.8 allows remote attackers to conduct server-side request forgery (SSRF) attacks via unspecified vectors.

Published: 2017-01-31T22:00:00.000Z
Updated: 2024-08-06T02:50:38.392Z

SQL injection vulnerability in the users data handler in MyBB (aka MyBulletinBoard) before 1.8.8 and MyBB Merge System before 1.8.8 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

Published: 2017-01-31T22:00:00.000Z
Updated: 2024-08-06T02:50:37.707Z

MyBB (aka MyBulletinBoard) before 1.8.8 on Windows and MyBB Merge System before 1.8.8 on Windows allow remote attackers to overwrite arbitrary CSS files via vectors related to "style import."

Published: 2017-01-31T22:00:00.000Z
Updated: 2024-08-06T02:50:38.036Z

MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 allow remote attackers to obtain sensitive information by leveraging missing directory listing protection in upload directories.

Published: 2017-01-31T22:00:00.000Z
Updated: 2024-08-06T02:50:37.918Z

The Admin control panel in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 allows remote attackers to conduct clickjacking attacks via unspecified vectors.

Published: 2017-01-31T22:00:00.000Z
Updated: 2024-08-06T02:50:37.728Z

MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 allow attackers to have unspecified impact via vectors related to low adminsid and sid entropy.

Published: 2017-01-31T22:00:00.000Z
Updated: 2024-08-06T02:50:37.943Z

The Admin control panel in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 allows remote attackers to obtain the installation path via vectors involving sending mails.

Published: 2017-01-31T22:00:00.000Z
Updated: 2024-08-06T02:50:37.816Z

MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 might allow remote attackers to obtain sensitive database information via vectors involving templates.

Published: 2017-01-31T22:00:00.000Z
Updated: 2024-08-06T02:50:37.938Z

Cross-site scripting (XSS) vulnerability in the Admin control panel in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 might allow remote attackers to inject arbitrary web script or HTML via vectors involving pruning logs.

Published: 2017-01-31T22:00:00.000Z
Updated: 2024-08-06T02:50:37.974Z

Cross-site scripting (XSS) vulnerability in the Mod control panel in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 might allow remote attackers to inject arbitrary web script or HTML via vectors involving editing users.

Published: 2017-01-31T22:00:00.000Z
Updated: 2024-08-06T02:50:37.699Z

Cross-site scripting (XSS) vulnerability in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 might allow remote attackers to inject arbitrary web script or HTML via vectors involving Mod control panel logs.

Published: 2017-01-31T22:00:00.000Z
Updated: 2024-08-06T02:50:37.683Z

Cross-site scripting (XSS) vulnerability in the User control panel in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 might allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Published: 2017-01-31T22:00:00.000Z
Updated: 2024-08-06T02:50:37.700Z

Cross-site scripting (XSS) vulnerability in member validation in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 might allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Published: 2017-01-31T22:00:00.000Z
Updated: 2024-08-06T02:50:37.882Z

Cross-site scripting (XSS) vulnerability in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 might allow remote attackers to inject arbitrary web script or HTML via vectors related to login.

Published: 2017-01-31T22:00:00.000Z
Updated: 2024-08-06T02:50:38.353Z

newreply.php in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 allows remote attackers to have unspecified impact by leveraging a missing permission check.

Published: 2017-01-31T22:00:00.000Z
Updated: 2024-08-06T02:50:37.623Z

SQL injection vulnerability in the moderation tool in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 might allow remote attackers to execute arbitrary SQL commands via unspecified vectors.

Published: 2017-01-31T22:00:00.000Z
Updated: 2024-08-06T02:50:38.224Z

MyBB (aka MyBulletinBoard) before 1.6.18 and 1.8.x before 1.8.6 and MyBB Merge System before 1.8.6 allow remote attackers to obtain the installation path via vectors involving error log files.

Published: 2017-01-31T22:00:00.000Z
Updated: 2024-08-06T08:36:30.817Z

Cross-site scripting (XSS) vulnerability in MyBB (aka MyBulletinBoard) before 1.6.18 and 1.8.x before 1.8.6 and MyBB Merge System before 1.8.6 might allow remote attackers to inject arbitrary web script or HTML via vectors related to "old upgrade files."

Published: 2017-01-31T22:00:00.000Z
Updated: 2024-08-06T08:36:31.035Z

Cross-site scripting (XSS) vulnerability in the error handler in MyBB (aka MyBulletinBoard) before 1.6.18 and 1.8.x before 1.8.6 and MyBB Merge System before 1.8.6 might allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Published: 2017-01-31T22:00:00.000Z
Updated: 2024-08-06T08:36:30.559Z

SQL injection vulnerability in the Group Promotions module in the admin control panel in MyBB (aka MyBulletinBoard) before 1.6.18 and 1.8.x before 1.8.6 and MyBB Merge System before 1.8.6 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

Published: 2017-01-31T22:00:00.000Z
Updated: 2024-08-06T08:36:30.884Z

xmlhttp.php in MyBB (aka MyBulletinBoard) before 1.6.18 and 1.8.x before 1.8.6 and MyBB Merge System before 1.8.6 allows remote attackers to bypass intended access restrictions via vectors related to the forum password.

Published: 2017-01-31T22:00:00.000Z
Updated: 2024-08-06T08:36:30.417Z

Cross-site scripting (XSS) vulnerability in the quick edit function in xmlhttp.php in MyBB (aka MyBulletinBoard) before 1.8.5 allows remote attackers to inject arbitrary web script or HTML via the content of a post.

Published: 2015-09-03T17:00:00.000Z
Updated: 2024-08-06T06:18:12.065Z

Unspecified vulnerability in MyBB (aka MyBulletinBoard) before 1.8.4 has unknown attack vectors related to "Group join request notifications sent to wrong group leaders."

Published: 2015-03-29T21:00:00.000Z
Updated: 2024-08-06T05:24:38.933Z

The cache handler in MyBB (aka MyBulletinBoard) before 1.8.4 does not properly check the encoding of input to the var_export function, which allows attackers to have an unspecified impact via unknown vectors.

Published: 2015-03-19T14:00:00.000Z
Updated: 2024-08-06T05:10:16.295Z

A JSON library in MyBB (aka MyBulletinBoard) before 1.8.4 allows remote attackers to obtain the installation path via unknown vectors.

Published: 2015-03-18T14:00:00.000Z
Updated: 2024-08-06T05:10:16.275Z

Cross-site request forgery (CSRF) vulnerability in the Admin Control Panel (ACP) login in MyBB (aka MyBulletinBoard) before 1.8.4 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.

Published: 2015-03-18T14:00:00.000Z
Updated: 2024-08-06T05:10:16.265Z

Cross-site scripting (XSS) vulnerability in the MyCode editor in MyBB (aka MyBulletinBoard) before 1.8.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Published: 2015-03-18T14:00:00.000Z
Updated: 2024-08-06T05:10:16.025Z

Cross-site scripting (XSS) vulnerability in member.php in MyBB (aka MyBulletinBoard) before 1.8.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Published: 2015-03-18T14:00:00.000Z
Updated: 2024-08-06T05:10:16.163Z

Multiple cross-site scripting (XSS) vulnerabilities in the administrative backend in MyBB (aka MyBulletinBoard) before 1.8.4 allow remote authenticated users to inject arbitrary web script or HTML via the (1) MIME-type field in an add action in the config-attachment_types module to admin/index.php; (2) title or (3) short description field in an add action in the (a) config-mycode or (b) user-groups module to admin/index.php; (4) title field in an add action in the (c) forum-management or (d) tool-tasks module to admin/index.php; (5) name field in an add_set action in the style-templates module to admin/index.php; (6) title field in an add_template_group action in the style-templates module to admin/index.php; (7) name field in an add action in the config-post_icons module to admin/index.php; (8) "title to assign" field in an add action in the user-titles module to admin/index.php; or (9) username field in the config-banning module to admin/index.php.

Published: 2015-03-18T14:00:00.000Z
Updated: 2024-08-06T05:02:43.413Z

Cross-site scripting (XSS) vulnerability in MyBB before 1.6.15 allows remote attackers to inject arbitrary web script or HTML via vectors related to video MyCode.

Published: 2014-08-14T18:00:00.000Z
Updated: 2024-09-16T21:04:27.064Z

Multiple cross-site scripting (XSS) vulnerabilities in the MyBB (aka MyBulletinBoard) before 1.8.4 allow remote authenticated users to inject arbitrary web script or HTML via the title parameter in the (1) edit or (2) add action in the user-users module or the (3) finduser action or the name parameter in an (4) edit action in the user-user module or the (5) editprofile action to modcp.php.

Published: 2020-02-11T18:23:37.000Z
Updated: 2024-08-06T10:57:17.354Z

Cross-site scripting (XSS) vulnerability in MyBB before 1.6.13 allows remote authenticated users to inject arbitrary web script or HTML via the name parameter in the edit action of the config-profile_fields module.

Published: 2020-02-11T18:48:04.000Z
Updated: 2024-08-06T10:57:17.832Z

Cross-site scripting (XSS) vulnerability in Upload/search.php in MyBB 1.6.12 and earlier allows remote attackers to inject arbitrary web script or HTML via the keywords parameter in a do_search action, which is not properly handled in a forced SQL error message.

Published: 2014-03-03T16:00:00.000Z
Updated: 2024-08-06T09:50:11.072Z

Cross-site scripting (XSS) vulnerability in the mycode_parse_video function in inc/class_parser.php in MyBB (aka MyBulletinBoard) before 1.6.12 allows remote attackers to inject arbitrary web script or HTML via vectors related to Yahoo video URLs.

Published: 2014-01-10T16:00:00.000Z
Updated: 2024-09-17T01:50:54.525Z

Cross-site scripting (XSS) vulnerability in misc.php in MyBB (aka MyBulletinBoard) before 1.6.12 allows remote attackers to inject arbitrary web script or HTML via the editor parameter in a smilie list popup.

Published: 2014-01-08T15:00:00.000Z
Updated: 2024-09-16T19:45:42.403Z

MyBB (aka MyBulletinBoard) before 1.6.7 allows remote attackers to obtain sensitive information via a malformed forumread cookie, which reveals the installation path in an error message.

Published: 2012-08-13T18:00:00.000Z
Updated: 2024-09-17T02:58:18.551Z

Cross-site scripting (XSS) vulnerability in the Admin Control Panel (ACP) in MyBB (aka MyBulletinBoard) before 1.6.7 allows remote administrators to inject arbitrary web script or HTML via a malformed file name in an orphaned attachment.

Published: 2012-08-13T18:00:00.000Z
Updated: 2024-09-16T16:37:30.858Z

SQL injection vulnerability in the User Inline Moderation feature in the Admin Control Panel (ACP) in MyBB (aka MyBulletinBoard) before 1.6.7 allows remote administrators to execute arbitrary SQL commands via unspecified vectors.

Published: 2012-08-13T18:00:00.000Z
Updated: 2024-09-16T23:55:43.800Z

Multiple SQL injection vulnerabilities in MyBB (aka MyBulletinBoard) before 1.6.7 allow remote administrators to execute arbitrary SQL commands via unspecified vectors in the (1) user search or (2) Mail Log in the Admin Control Panel (ACP).

Published: 2012-08-13T18:00:00.000Z
Updated: 2024-09-16T18:18:14.658Z

Unspecified vulnerability in MyBB before 1.6.5 has unknown impact and attack vectors, related to an "unparsed user avatar in the buddy list."

Published: 2012-08-30T22:00:00.000Z
Updated: 2024-09-17T00:51:26.797Z

Cross-site scripting (XSS) vulnerability in MyBB before 1.6.5 allows remote attackers to inject arbitrary web script or HTML via vectors related to "usernames via AJAX."

Published: 2012-08-30T22:00:00.000Z
Updated: 2024-08-07T00:23:40.249Z

Cross-site request forgery (CSRF) vulnerability in global.php in MyBB before 1.6.5 allows remote attackers to hijack the authentication of a user for requests that change the user's language via the language parameter.

Published: 2012-08-30T22:00:00.000Z
Updated: 2024-08-07T00:23:40.140Z

SQL injection vulnerability in userbarsettings.php in the Userbar plugin 2.2 for MyBB Forum allows remote attackers to execute arbitrary SQL commands via the image2 parameter.

Published: 2011-11-29T11:00:00.000Z
Updated: 2024-08-07T00:09:19.028Z

Multiple SQL injection vulnerabilities in MyBB (aka MyBulletinBoard) before 1.6.1 allow remote attackers to execute arbitrary SQL commands via the keywords parameter in a (1) do_search action to search.php or (2) do_stuff action to private.php. NOTE: the vendor disputes this issue, saying "Although this doesn't lead to an SQL injection, it does provide a general MyBB SQL error.

Published: 2012-08-13T23:00:00.000Z
Updated: 2024-09-17T04:10:28.021Z

MyBB (aka MyBulletinBoard) before 1.4.12 does not properly restrict uid values for group join requests, which allows remote attackers to cause a denial of service (resource consumption) by using guest access to submit join request forms for moderated groups, related to usercp.php and managegroup.php.

Published: 2010-12-30T20:00:00.000Z
Updated: 2024-08-07T03:51:17.935Z

member.php in MyBB (aka MyBulletinBoard) before 1.4.12 makes a certain superfluous call to the SQL COUNT function, which allows remote attackers to cause a denial of service (resource consumption) by making requests to member.php that trigger scans of the entire users table.

Published: 2010-12-30T20:00:00.000Z
Updated: 2024-08-07T03:51:17.919Z

Cross-site request forgery (CSRF) vulnerability in usercp2.php in MyBB (aka MyBulletinBoard) before 1.4.12 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.

Published: 2010-12-30T20:00:00.000Z
Updated: 2024-08-07T03:51:17.971Z

The my_rand function in functions.php in MyBB (aka MyBulletinBoard) before 1.4.12 does not properly use the PHP mt_rand function, which makes it easier for remote attackers to obtain access to an arbitrary account by requesting a reset of the account's password, and then conducting a brute-force attack.

Published: 2010-12-30T20:00:00.000Z
Updated: 2024-08-07T03:51:17.916Z

MyBB (aka MyBulletinBoard) before 1.4.12 does not properly handle a configuration with a visible forum that contains hidden threads, which allows remote attackers to obtain sensitive information by reading the Latest Threads block of the Portal Page.

Published: 2010-12-30T20:00:00.000Z
Updated: 2024-08-07T03:51:17.744Z

MyBB (aka MyBulletinBoard) before 1.4.12 allows remote authenticated users to bypass intended restrictions on the number of [img] MyCodes by editing a post after it has been created.

Published: 2010-12-30T20:00:00.000Z
Updated: 2024-08-07T03:51:17.658Z

SQL injection vulnerability in pages.php in Custom Pages 1.0 plugin for MyBulletinBoard (MyBB) allows remote attackers to execute arbitrary SQL commands via the page parameter.

Published: 2009-02-20T00:00:00.000Z
Updated: 2024-08-07T11:20:25.324Z

moderation.php in MyBB (aka MyBulletinBoard) before 1.4.1 does not properly check for moderator privileges, which has unknown impact and remote attack vectors.

Published: 2008-09-10T15:00:00.000Z
Updated: 2024-08-07T10:00:42.598Z

Multiple cross-site scripting (XSS) vulnerabilities in MyBB (aka MyBulletinBoard) before 1.4.1 allow remote attackers to inject arbitrary web script or HTML via (1) a certain referrer field in usercp2.php, (2) a certain location field in inc/functions_online.php, and certain (3) tsubject and (4) psubject fields in moderation.php.

Published: 2008-09-10T15:00:00.000Z
Updated: 2024-08-07T10:00:42.292Z

SQL injection vulnerability in misc.php in MyBB (aka MyBulletinBoard) before 1.4.1 allows remote attackers to execute arbitrary SQL commands via a certain editor field.

Published: 2008-09-10T15:00:00.000Z
Updated: 2024-08-07T10:00:42.125Z

Cross-site scripting (XSS) vulnerability in MyBB 1.2.x before 1.2.14 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, possibly involving search.php.

Published: 2008-07-27T23:00:00.000Z
Updated: 2024-08-07T09:37:27.076Z

Directory traversal vulnerability in inc/class_language.php in MyBB before 1.2.13 has unknown impact and attack vectors related to the $language variable.

Published: 2008-07-08T18:00:00.000Z
Updated: 2024-08-07T09:21:35.154Z

Unspecified vulnerability in inc/datahandler/user.php in MyBB before 1.2.13 has unknown impact and attack vectors related to the $user['language'] variable, probably related to SQL injection.

Published: 2008-07-08T18:00:00.000Z
Updated: 2024-08-07T09:21:35.046Z

Multiple cross-site scripting (XSS) vulnerabilities in MyBB before 1.2.13 allow remote attackers to inject arbitrary web script or HTML via unspecified parameters to (1) portal.php and (2) inc/functions_post.php.

Published: 2008-07-08T18:00:00.000Z
Updated: 2024-08-07T09:21:34.953Z

Multiple cross-site request forgery (CSRF) vulnerabilities in MyBB 1.2.11 and earlier allow remote attackers to (1) hijack the authentication of moderators or administrators for requests that delete threads via a do_multideletethreads action to moderation.php and (2) hijack the authentication of arbitrary users for requests that delete private messages (PM) via a delete action to private.php.

Published: 2008-02-15T00:00:00.000Z
Updated: 2024-08-07T08:01:38.909Z

Multiple SQL injection vulnerabilities in MyBB 1.2.10 and earlier allow remote moderators and administrators to execute arbitrary SQL commands via (1) the mergepost parameter in a do_mergeposts action, (2) rid parameter in an allreports action, or (3) threads parameter in a do_multimovethreads action to (a) moderation.php; or (4) gid parameter to (b) admin/usergroups.php.

Published: 2008-01-22T19:00:00.000Z
Updated: 2024-08-07T07:46:54.256Z

SQL injection vulnerability in the create_session function in class_session.php in MyBB (aka MyBulletinBoard) 1.2.3 and earlier allows remote attackers to execute arbitrary SQL commands via the Client-IP HTTP header, as utilized by index.php, a related issue to CVE-2006-3775.

Published: 2007-04-11T10:00:00.000Z
Updated: 2024-08-07T13:13:42.000Z

MyBB 1.2.4 allows remote attackers to obtain sensitive information via the (1) action[] parameter to member.php, (2) imagehash[] parameter to captcha.php, and (3) a direct request to inc/datahandlers/event.php, which reveal the installation path in the resulting error message.

Published: 2007-05-14T21:00:00.000Z
Updated: 2024-08-07T12:26:54.361Z

Multiple unspecified vulnerabilities in MyBulletinBoard (MyBB) before 1.0.2 have unspecified impact and attack vectors, related to (1) admin/moderate.php, (2) admin/themes.php, (3) inc/functions.php, (4) inc/functions_upload.php, (5) printthread.php, and (6) usercp.php, and probably related to SQL injection. NOTE: it is likely that this issue subsumes CVE-2005-4602 and CVE-2005-4603. However, since the vendor advisory is vague and additional files are mentioned, is is likely that this contains at least one distinct vulnerability from CVE-2005-4602 and CVE-2005-4603.

Published: 2006-01-16T21:00:00.000Z
Updated: 2024-09-17T02:37:44.003Z