MidnightBSD

Advisories for layerbb

CVE-2018-17988 HIGH

LayerBB 1.1.1 and 1.1.3 has SQL Injection via the search.php search_query parameter.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-89,

Products Affected

Vendor Product Version
layerbb layerbb 1.1.3
layerbb layerbb 1.1.1
CVE-2018-17996 MEDIUM

LayerBB before 1.1.3 allows CSRF for adding a user via admin/new_user.php, deleting a user via admin/members.php/delete_user/, and deleting content via mod/delete.php/.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,

Products Affected

Vendor Product Version
layerbb layerbb 1.1.2
CVE-2018-17997 MEDIUM

LayerBB 1.1.1 allows XSS via the titles of conversations (PMs).

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
layerbb layerbb 1.1.1
CVE-2019-13972 MEDIUM

LayerBB 1.1.3 allows XSS via the application/commands/new.php pm_title variable, a related issue to CVE-2019-17997.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
layerbb layerbb 1.1.3
CVE-2019-13973 HIGH

LayerBB 1.1.3 allows admin/general.php arbitrary file upload because the custom_logo filename suffix is not restricted, and .php may be used.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-434,

Products Affected

Vendor Product Version
layerbb layerbb 1.1.3
CVE-2019-13974 MEDIUM

LayerBB 1.1.3 allows conversations.php/cmd/new CSRF.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,

Products Affected

Vendor Product Version
layerbb layerbb 1.1.3
CVE-2019-16531 MEDIUM

LayerBB before 1.1.4 has multiple CSRF issues, as demonstrated by changing the System Settings via admin/general.php.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,

Products Affected

Vendor Product Version
layerbb layerbb *