Multiple cross-site scripting (XSS) vulnerabilities in profile.php in 427BB 2.2 allow remote attackers to inject arbitrary web script or HTML via the (1) user or (2) Avatar parameters.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| 427bb | fourtwosevenbb | 2.1.1 |
| 427bb | fourtwosevenbb | 2.0 |
| 427bb | fourtwosevenbb | 2.2.1 |
| 427bb | fourtwosevenbb | 2.0.1 |
| 427bb | fourtwosevenbb | 2.1 |
| 427bb | fourtwosevenbb | 2.1.3 |
| 427bb | fourtwosevenbb | 2.1.2 |
| 427bb | fourtwosevenbb | 2.2 |
427BB 2.2 and 2.2.1 verifies authentication credentials based on the username, authenticated, and usertype cookies, which allows remote attackers to bypass authentication by using a valid username and usertype and setting the authenticated cookie.
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| 427bb | fourtwosevenbb | 2.2.1 |
| 427bb | fourtwosevenbb | 2.2 |
SQL injection vulnerability in showthread.php in 427BB 2.2 and 2.2.1 allows remote attackers to execute arbitrary SQL commands via the ForumID parameter.
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| 427bb | fourtwosevenbb | 2.2.1 |
| 427bb | fourtwosevenbb | 2.2 |
Cross-site scripting (XSS) vulnerability in posts.php in 427BB 2.2 and 2.2.1 allows remote attackers to inject arbitrary Javascript via a new message with a url bbcode tag containing a javascript URI.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| 427bb | fourtwosevenbb | 2.2.1 |
| 427bb | fourtwosevenbb | 2.2 |