MidnightBSD

Advisories for fudforum

CVE-2013-2267 HIGH

PHP Code Injection vulnerability in FUDforum Bulletin Board Software 3.0.4 could allow remote attackers to execute arbitrary code on the system.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.2 HIGH CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 1.2 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-94,

Products Affected

Vendor Product Version
fudforum fudforum 3.0.4
CVE-2013-5309 LOW

Cross-site scripting (XSS) vulnerability in install/forum_data/src/custom_fields.inc.t in FUDforum 3.0.4.1 and earlier, when registering a new user, allows remote attackers to inject arbitrary web script or HTML via a custom profile field to index.php. NOTE: some of these details are obtained from third party information.

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
ilia_alshanetsky fudforum 2.6.12
ilia_alshanetsky fudforum 2.5.1
ilia_alshanetsky fudforum 2.1.2
ilia_alshanetsky fudforum 2.6.15
fudforum fudforum 2.7.7
ilia_alshanetsky fudforum 2.6.4
ilia_alshanetsky fudforum 2.3.6
fudforum fudforum 2.7.4
ilia_alshanetsky fudforum 2.1.3
ilia_alshanetsky fudforum 2.2.2
fudforum fudforum 2.7.3
ilia_alshanetsky fudforum 2.2.3
ilia_alshanetsky fudforum 2.0.2
fudforum fudforum 2.7.6
ilia_alshanetsky fudforum 2.1.0
ilia_alshanetsky fudforum 2.6.0
fudforum fudforum 2.7.2
ilia_alshanetsky fudforum 2.6.5
ilia_alshanetsky fudforum 2.3.7
ilia_alshanetsky fudforum 2.6.6
ilia_alshanetsky fudforum 2.6.8
ilia_alshanetsky fudforum 2.5.0
ilia_alshanetsky fudforum 2.7.1
ilia_alshanetsky fudforum 2.2.5
fudforum fudforum 3.0.2
fudforum fudforum 2.8.0
ilia_alshanetsky fudforum 2.6.3
ilia_alshanetsky fudforum 2.6.11
ilia_alshanetsky fudforum 2.3.2
ilia_alshanetsky fudforum 2.6.14
fudforum fudforum 2.7.5
fudforum fudforum 3.0.3
fudforum fudforum 3.0.4
ilia_alshanetsky fudforum 2.3.4
ilia_alshanetsky fudforum 1.9.8
ilia_alshanetsky fudforum 2.5.2
ilia_alshanetsky fudforum 2.1.1
ilia_alshanetsky fudforum 2.7.0
fudforum fudforum 3.0.0
ilia_alshanetsky fudforum 2.3.1
ilia_alshanetsky fudforum 2.6.1
ilia_alshanetsky fudforum 2.6.13
ilia_alshanetsky fudforum 1.2.8
ilia_alshanetsky fudforum 2.6.2
fudforum fudforum 3.0.1
ilia_alshanetsky fudforum 2.2.4
ilia_alshanetsky fudforum 2.3.0
fudforum fudforum *
ilia_alshanetsky fudforum 2.3.5
ilia_alshanetsky fudforum 2.6.9
ilia_alshanetsky fudforum 2.2.1
fudforum fudforum 2.8.1
ilia_alshanetsky fudforum 2.2.0
ilia_alshanetsky fudforum 2.6.7
ilia_alshanetsky fudforum 2.6.10
ilia_alshanetsky fudforum 2.3.3
ilia_alshanetsky fudforum 2.3.8
CVE-2019-18839 HIGH

FUDForum 3.0.9 is vulnerable to Stored XSS via the nlogin parameter. This may result in remote code execution. An attacker can use a user account to fully compromise the system using a POST request. When the admin visits the user information, the payload will execute. This will allow for PHP files to be written to the web root, and for code to execute on the remote server.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.0 CRITICAL CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H 2.3 6.0

CVSS 2.0

Severity: HIGH

Problem Type: CWE-78,CWE-79,

Products Affected

Vendor Product Version
fudforum fudforum 3.0.9
CVE-2019-18873 HIGH

FUDForum 3.0.9 is vulnerable to Stored XSS via the User-Agent HTTP header. This may result in remote code execution. An attacker can use a user account to fully compromise the system via a GET request. When the admin visits user information under "User Manager" in the control panel, the payload will execute. This will allow for PHP files to be written to the web root, and for code to execute on the remote server. The problem is in admsession.php and admuser.php.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.0 CRITICAL CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H 2.3 6.0

CVSS 2.0

Severity: HIGH

Problem Type: CWE-78,CWE-79,

Products Affected

Vendor Product Version
fudforum fudforum 3.0.9
CVE-2021-27519 MEDIUM

A cross-site scripting (XSS) issue in FUDForum 3.1.0 allows remote attackers to inject JavaScript via index.php in the "srch" parameter.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
fudforum fudforum 3.1.0
CVE-2021-27520 MEDIUM

A cross-site scripting (XSS) issue in FUDForum 3.1.0 allows remote attackers to inject JavaScript via index.php in the "author" parameter.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
fudforum fudforum 3.1.0
CVE-2022-28545 LOW

FUDforum 3.1.1 is vulnerable to Stored XSS.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
fudforum fudforum 3.1.1
CVE-2022-30860 MEDIUM

FUDforum 3.1.2 is vulnerable to Remote Code Execution through Upload File feature of File Administration System in Admin Control Panel.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.2 HIGH CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 1.2 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-434,

Products Affected

Vendor Product Version
fudforum fudforum *
CVE-2022-30861 LOW

FUDforum 3.1.2 is vulnerable to Stored XSS via Forum Name field in Forum Manager Feature.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.8 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N 1.7 2.7

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
fudforum fudforum 3.1.2
CVE-2022-30863 LOW

FUDForum 3.1.2 is vulnerable to Cross Site Scripting (XSS) via page_title param in Page Manager in the Admin Control Panel.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.8 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N 1.7 2.7

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
fudforum fudforum 3.1.2
CVE-2024-30950

A stored cross-site scripting (XSS) vulnerability in FUDforum v3.1.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the SQL statements field under /adm/admsql.php.

Products Affected

Vendor Product Version
fudforum fudforum 3.1.3
CVE-2024-30951

FUDforum v3.1.3 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the chpos parameter at /adm/admsmiley.php.

Products Affected

Vendor Product Version
fudforum fudforum 3.1.3