MidnightBSD

Advisories for mybb

CVE-2005-4199 HIGH

Multiple SQL injection vulnerabilities in MyBulletinBoard (MyBB) before 1.0 allow remote attackers to execute arbitrary SQL commands via the (1) month, (2) day, and (3) year parameters in an addevent action in calendar.php; (4) threadmode and (5) showcodebuttons in an options action in usercp.php; (6) list parameter in an editlists action to usercp.php; (7) rating parameter in a rate action in member.php; and (8) rating parameter in either showthread.php or ratethread.php.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-89,

Products Affected

Vendor Product Version
mybb mybb 1.0
mybb mybb *
CVE-2006-0218 HIGH

Multiple unspecified vulnerabilities in MyBulletinBoard (MyBB) before 1.0.2 have unspecified impact and attack vectors, related to (1) admin/moderate.php, (2) admin/themes.php, (3) inc/functions.php, (4) inc/functions_upload.php, (5) printthread.php, and (6) usercp.php, and probably related to SQL injection. NOTE: it is likely that this issue subsumes CVE-2005-4602 and CVE-2005-4603. However, since the vendor advisory is vague and additional files are mentioned, is is likely that this contains at least one distinct vulnerability from CVE-2005-4602 and CVE-2005-4603.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
mybb mybb 1.0
mybb mybb 1.00
mybb mybb *
CVE-2006-0442 MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in usercp.php in MyBulletinBoard (MyBB) 1.02 allow remote attackers to inject arbitrary web script or HTML via the (1) notepad parameter in a notepad action and (2) signature parameter in an editsig action. NOTE: These are different attack vectors, and probably a different vulnerability, than CVE-2006-0218 and CVE-2006-0219.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
mybb mybb 1.0.2
CVE-2006-2070 MEDIUM

Cross-site scripting (XSS) vulnerability in member.php in DevBB 1.0.0 and earlier allows remote attackers to inject arbitrary web script or HTML via the member parameter in a viewpro action.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
mybb devbb 1.0.0
CVE-2008-4929 MEDIUM

MyBB (aka MyBulletinBoard) 1.4.2 uses insufficient randomness to compose filenames of uploaded files used as attachments, which makes it easier for remote attackers to read these files by guessing filenames.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-330,

Products Affected

Vendor Product Version
mybb mybb 1.4.2
CVE-2008-7082 MEDIUM

MyBB (aka MyBulletinBoard) 1.4.3 includes the sensitive my_post_key parameter in URLs to moderation.php with the (1) mergeposts, (2) split, and (3) deleteposts actions, which allows remote attackers to steal the token and bypass the cross-site request forgery (CSRF) protection mechanism to hijack the authentication of moderators by reading the token from the HTTP Referer header.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,

Products Affected

Vendor Product Version
mybb mybb 1.4.3
CVE-2009-4448 MEDIUM

inc/functions_time.php in MyBB (aka MyBulletinBoard) 1.4.10, and possibly earlier versions, allows remote attackers to cause a denial of service (CPU consumption) via a crafted request with a large year value, which triggers a long loop, as reachable through member.php and possibly other vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-399,

Products Affected

Vendor Product Version
mybb mybb 1.4.10
CVE-2009-4813 MEDIUM

Cross-site scripting (XSS) vulnerability in myps.php in MyBB (aka MyBulletinBoard) 1.4.10 allows remote attackers to inject arbitrary web script or HTML via the username parameter in a donate action.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
mybb mybb 1.4.10
CVE-2010-4522 MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in MyBB (aka MyBulletinBoard) 1.4.14, and 1.6.x before 1.6.1, allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) editpost.php, (2) member.php, and (3) newreply.php.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
mybb mybb 1.4.14
mybb mybb 1.6.0
CVE-2010-4624 LOW

MyBB (aka MyBulletinBoard) before 1.4.12 allows remote authenticated users to bypass intended restrictions on the number of [img] MyCodes by editing a post after it has been created.

CVSS 2.0

Severity: LOW

Problem Type: CWE-264,

Products Affected

Vendor Product Version
mybb mybb 1.4.6
mybb mybb 1.2.1
mybb mybb 1.2.0
mybb mybb 1.2.11
mybb mybb 1.04
mybb mybb 1.4.2
mybb mybb 1.1.1
mybb mybb 1.2.7
mybb mybb 1.2.2
mybb mybb 1.1.6
mybb mybb 1.4.0
mybb mybb 1.2.3
mybb mybb 1.4.9
mybb mybb 1.2.12
mybb mybb 1.1.2
mybb mybb 1.2
mybb mybb 1.2.10
mybb mybb 1.4.8
mybb mybb 1.1.0
mybb mybb *
mybb mybb 1.1.3
mybb mybb 1.01
mybb mybb 1.2.4
mybb mybb 1.03
mybb mybb 1.4.10
mybb mybb 1.2.6
mybb mybb 1.1.4
mybb mybb 1.1.8
mybb mybb 1.1.7
mybb mybb 1.2.5
mybb mybb 1.2.9
mybb mybb 1.00
mybb mybb 1.1.5
mybb mybb 1.2.13
mybb mybb 1.02
mybb mybb 1.4.3
mybb mybb 1.2.8
CVE-2010-4625 MEDIUM

MyBB (aka MyBulletinBoard) before 1.4.12 does not properly handle a configuration with a visible forum that contains hidden threads, which allows remote attackers to obtain sensitive information by reading the Latest Threads block of the Portal Page.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
mybb mybb 1.4.6
mybb mybb 1.2.1
mybb mybb 1.2.0
mybb mybb 1.2.11
mybb mybb 1.04
mybb mybb 1.4.2
mybb mybb 1.1.1
mybb mybb 1.2.7
mybb mybb 1.2.2
mybb mybb 1.1.6
mybb mybb 1.4.0
mybb mybb 1.2.3
mybb mybb 1.4.9
mybb mybb 1.2.12
mybb mybb 1.1.2
mybb mybb 1.2
mybb mybb 1.2.10
mybb mybb 1.4.8
mybb mybb 1.1.0
mybb mybb *
mybb mybb 1.1.3
mybb mybb 1.01
mybb mybb 1.2.4
mybb mybb 1.03
mybb mybb 1.4.10
mybb mybb 1.2.6
mybb mybb 1.1.4
mybb mybb 1.1.8
mybb mybb 1.1.7
mybb mybb 1.2.5
mybb mybb 1.2.9
mybb mybb 1.00
mybb mybb 1.1.5
mybb mybb 1.2.13
mybb mybb 1.02
mybb mybb 1.4.3
mybb mybb 1.2.8
CVE-2010-4626 MEDIUM

The my_rand function in functions.php in MyBB (aka MyBulletinBoard) before 1.4.12 does not properly use the PHP mt_rand function, which makes it easier for remote attackers to obtain access to an arbitrary account by requesting a reset of the account's password, and then conducting a brute-force attack.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-310,

Products Affected

Vendor Product Version
mybb mybb 1.4.6
mybb mybb 1.2.1
mybb mybb 1.2.0
mybb mybb 1.2.11
mybb mybb 1.04
mybb mybb 1.4.2
mybb mybb 1.1.1
mybb mybb 1.2.7
mybb mybb 1.2.2
mybb mybb 1.1.6
mybb mybb 1.4.0
mybb mybb 1.2.3
mybb mybb 1.4.9
mybb mybb 1.2.12
mybb mybb 1.1.2
mybb mybb 1.2
mybb mybb 1.2.10
mybb mybb 1.4.8
mybb mybb 1.1.0
mybb mybb *
mybb mybb 1.1.3
mybb mybb 1.01
mybb mybb 1.2.4
mybb mybb 1.03
mybb mybb 1.4.10
mybb mybb 1.2.6
mybb mybb 1.1.4
mybb mybb 1.1.8
mybb mybb 1.1.7
mybb mybb 1.2.5
mybb mybb 1.2.9
mybb mybb 1.00
mybb mybb 1.1.5
mybb mybb 1.2.13
mybb mybb 1.02
mybb mybb 1.4.3
mybb mybb 1.2.8
CVE-2010-4627 MEDIUM

Cross-site request forgery (CSRF) vulnerability in usercp2.php in MyBB (aka MyBulletinBoard) before 1.4.12 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,

Products Affected

Vendor Product Version
mybb mybb 1.4.6
mybb mybb 1.2.1
mybb mybb 1.2.0
mybb mybb 1.2.11
mybb mybb 1.04
mybb mybb 1.4.2
mybb mybb 1.1.1
mybb mybb 1.2.7
mybb mybb 1.2.2
mybb mybb 1.1.6
mybb mybb 1.4.0
mybb mybb 1.2.3
mybb mybb 1.4.9
mybb mybb 1.2.12
mybb mybb 1.1.2
mybb mybb 1.2
mybb mybb 1.2.10
mybb mybb 1.4.8
mybb mybb 1.1.0
mybb mybb *
mybb mybb 1.1.3
mybb mybb 1.01
mybb mybb 1.2.4
mybb mybb 1.03
mybb mybb 1.4.10
mybb mybb 1.2.6
mybb mybb 1.1.4
mybb mybb 1.1.8
mybb mybb 1.1.7
mybb mybb 1.2.5
mybb mybb 1.2.9
mybb mybb 1.00
mybb mybb 1.1.5
mybb mybb 1.2.13
mybb mybb 1.02
mybb mybb 1.4.3
mybb mybb 1.2.8
CVE-2010-4628 MEDIUM

member.php in MyBB (aka MyBulletinBoard) before 1.4.12 makes a certain superfluous call to the SQL COUNT function, which allows remote attackers to cause a denial of service (resource consumption) by making requests to member.php that trigger scans of the entire users table.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
mybb mybb 1.4.6
mybb mybb 1.2.1
mybb mybb 1.2.0
mybb mybb 1.2.11
mybb mybb 1.04
mybb mybb 1.4.2
mybb mybb 1.1.1
mybb mybb 1.2.7
mybb mybb 1.2.2
mybb mybb 1.1.6
mybb mybb 1.4.0
mybb mybb 1.2.3
mybb mybb 1.4.9
mybb mybb 1.2.12
mybb mybb 1.1.2
mybb mybb 1.2
mybb mybb 1.2.10
mybb mybb 1.4.8
mybb mybb 1.1.0
mybb mybb *
mybb mybb 1.1.3
mybb mybb 1.01
mybb mybb 1.2.4
mybb mybb 1.03
mybb mybb 1.4.10
mybb mybb 1.2.6
mybb mybb 1.1.4
mybb mybb 1.1.8
mybb mybb 1.1.7
mybb mybb 1.2.5
mybb mybb 1.2.9
mybb mybb 1.00
mybb mybb 1.1.5
mybb mybb 1.2.13
mybb mybb 1.02
mybb mybb 1.4.3
mybb mybb 1.2.8
CVE-2010-4629 MEDIUM

MyBB (aka MyBulletinBoard) before 1.4.12 does not properly restrict uid values for group join requests, which allows remote attackers to cause a denial of service (resource consumption) by using guest access to submit join request forms for moderated groups, related to usercp.php and managegroup.php.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
mybb mybb 1.4.6
mybb mybb 1.2.1
mybb mybb 1.2.0
mybb mybb 1.2.11
mybb mybb 1.04
mybb mybb 1.4.2
mybb mybb 1.1.1
mybb mybb 1.2.7
mybb mybb 1.2.2
mybb mybb 1.1.6
mybb mybb 1.4.0
mybb mybb 1.2.3
mybb mybb 1.4.9
mybb mybb 1.2.12
mybb mybb 1.1.2
mybb mybb 1.2
mybb mybb 1.2.10
mybb mybb 1.4.8
mybb mybb 1.1.0
mybb mybb *
mybb mybb 1.1.3
mybb mybb 1.01
mybb mybb 1.2.4
mybb mybb 1.03
mybb mybb 1.4.10
mybb mybb 1.2.6
mybb mybb 1.1.4
mybb mybb 1.1.8
mybb mybb 1.1.7
mybb mybb 1.2.5
mybb mybb 1.2.9
mybb mybb 1.00
mybb mybb 1.1.5
mybb mybb 1.2.13
mybb mybb 1.02
mybb mybb 1.4.3
mybb mybb 1.2.8
CVE-2010-5096 HIGH

Multiple SQL injection vulnerabilities in MyBB (aka MyBulletinBoard) before 1.6.1 allow remote attackers to execute arbitrary SQL commands via the keywords parameter in a (1) do_search action to search.php or (2) do_stuff action to private.php. NOTE: the vendor disputes this issue, saying "Although this doesn't lead to an SQL injection, it does provide a general MyBB SQL error.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-89,

Products Affected

Vendor Product Version
mybb mybb 1.4.6
mybb mybb 1.2.1
mybb mybb 1.2.0
mybb mybb 1.2.11
mybb mybb 1.4.2
mybb mybb 1.4.12
mybb mybb 1.4.7
mybb mybb 1.1.1
mybb mybb 1.2.2
mybb mybb 1.2.14
mybb mybb 1.2.3
mybb mybb 1.4.9
mybb mybb 1.0
mybb mybb 1.4.15
mybb mybb 1.2
mybb mybb 1.2.10
mybb mybb 1.4.8
mybboard mybb 1.4.10
mybb mybb 1.1.0
mybb mybb *
mybb mybb 1.2.6
mybb mybb 1.4.14
mybb mybb 1.4.4
mybb mybb 1.5.1
mybb mybb 1.1.5
mybb mybb 1.4.3
mybb mybb 1.2.8
mybb mybb 1.04
mybb mybb 1.2.7
mybb mybb 1.1.6
mybb mybb 1.3
mybb mybb 1.4.0
mybb mybb 1.2.12
mybb mybb 1.1.2
mybb mybb 1.5.2
mybb mybb 1.4.13
mybb mybb 1.1.3
mybb mybb 1.01
mybb mybb 1.2.4
mybb mybb 1.4.5
mybb mybb 1.03
mybb mybb 1.4.10
mybb mybb 1.4.16
mybb mybb 1.1.4
mybb mybb 1.1.8
mybb mybb 1.1.7
mybb mybb 1.2.5
mybb mybb 1.2.9
mybb mybb 1.00
mybboard mybb 1.4.3
mybb mybb 1.4.1
mybb mybb 1.4.11
mybb mybb 1.2.13
mybb mybb 1.02
CVE-2011-10018

myBB version 1.6.4 was distributed with an unauthorized backdoor embedded in the source code. The backdoor allowed remote attackers to execute arbitrary PHP code by injecting payloads into a specially crafted collapsed cookie. This vulnerability was introduced during packaging and was not part of the intended application logic. Exploitation requires no authentication and results in full compromise of the web server under the context of the web application.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
mybb mybb 1.6.4
CVE-2011-3759 MEDIUM

MyBB (aka MyBulletinBoard) 1.6 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by inc/3rdparty/diff/Diff/ThreeWay.php and certain other files.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
mybb mybb 1.6.0
CVE-2012-5908 MEDIUM

Cross-site scripting (XSS) vulnerability in admin/modules/user/users.php in MyBB (aka MyBulletinBoard) 1.6.6 allows remote attackers to inject arbitrary web script or HTML via the conditions[usergroup][] parameter in a search action to admin/index.php.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
mybb mybb 1.6.6
CVE-2012-5909 HIGH

SQL injection vulnerability in admin/modules/user/users.php in MyBB (aka MyBulletinBoard) 1.6.6 allows remote attackers to execute arbitrary SQL commands via the conditions[usergroup][] parameter in a search action to admin/index.php.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-89,

Products Affected

Vendor Product Version
mybb mybb 1.6.6
CVE-2013-6936 HIGH

Multiple SQL injection vulnerabilities in ajaxfs.php in the Ajax forum stat (Ajaxfs) Plugin 2.0 for MyBB (aka MyBulletinBoard) allow remote attackers to execute arbitrary SQL commands via the (1) tooltip or (2) usertooltip parameter.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-89,

Products Affected

Vendor Product Version
mybb ajax_forum_stat 2.0
CVE-2013-7275 MEDIUM

Cross-site scripting (XSS) vulnerability in misc.php in MyBB (aka MyBulletinBoard) before 1.6.12 allows remote attackers to inject arbitrary web script or HTML via the editor parameter in a smilie list popup.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
mybb mybb 1.4.6
mybb mybb 1.2.1
mybb mybb 1.6.2
mybb mybb 1.2.0
mybb mybb 1.2.11
mybb mybb 1.4.2
mybb mybb 1.4.12
mybb mybb 1.4.7
mybb mybb 1.1.1
mybb mybb 1.6.1
mybb mybb 1.6.7
mybb mybb 1.2.2
mybb mybb 1.2.14
mybb mybb 1.6.10
mybb mybb 1.2.3
mybb mybb 1.4.9
mybb mybb 1.0
mybb mybb 1.4.15
mybb mybb 1.2
mybb mybb 1.2.10
mybb mybb 1.4.8
mybb mybb 1.6.0
mybb mybb 1.1.0
mybb mybb *
mybb mybb 1.6.8
mybb mybb 1.2.6
mybb mybb 1.4.14
mybb mybb 1.4.4
mybb mybb 1.6.4
mybb mybb 1.5.1
mybb mybb 1.6.6
mybb mybb 1.1.5
mybb mybb 1.6.3
mybb mybb 1.4.3
mybb mybb 1.2.8
mybb mybb 1.04
mybb mybb 1.2.7
mybb mybb 1.1.6
mybb mybb 1.3
mybb mybb 1.4.0
mybb mybb 1.2.12
mybb mybb 1.6.9
mybb mybb 1.1.2
mybb mybb 1.5.2
mybb mybb 1.4.13
mybb mybb 1.1.3
mybb mybb 1.01
mybb mybb 1.2.4
mybb mybb 1.4.5
mybb mybb 1.03
mybb mybb 1.4.10
mybb mybb 1.4.16
mybb mybb 1.1.4
mybb mybb 1.1.8
mybb mybb 1.6.5
mybb mybb 1.1.7
mybb mybb 1.2.5
mybb mybb 1.2.9
mybb mybb 1.00
mybb mybb 1.4.1
mybb mybb 1.4.11
mybb mybb 1.2.13
mybb mybb 1.02
CVE-2013-7288 MEDIUM

Cross-site scripting (XSS) vulnerability in the mycode_parse_video function in inc/class_parser.php in MyBB (aka MyBulletinBoard) before 1.6.12 allows remote attackers to inject arbitrary web script or HTML via vectors related to Yahoo video URLs.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
mybb mybb 1.4.6
mybb mybb 1.2.1
mybb mybb 1.6.2
mybb mybb 1.2.0
mybb mybb 1.2.11
mybb mybb 1.4.2
mybb mybb 1.4.12
mybb mybb 1.4.7
mybb mybb 1.1.1
mybb mybb 1.6.1
mybb mybb 1.6.7
mybb mybb 1.2.2
mybb mybb 1.2.14
mybb mybb 1.6.10
mybb mybb 1.2.3
mybb mybb 1.4.9
mybb mybb 1.0
mybb mybb 1.4.15
mybb mybb 1.2
mybb mybb 1.2.10
mybb mybb 1.4.8
mybb mybb 1.6.0
mybb mybb 1.1.0
mybb mybb *
mybb mybb 1.6.8
mybb mybb 1.2.6
mybb mybb 1.4.14
mybb mybb 1.4.4
mybb mybb 1.6.4
mybb mybb 1.5.1
mybb mybb 1.6.6
mybb mybb 1.1.5
mybb mybb 1.6.3
mybb mybb 1.4.3
mybb mybb 1.2.8
mybb mybb 1.04
mybb mybb 1.2.7
mybb mybb 1.1.6
mybb mybb 1.3
mybb mybb 1.4.0
mybb mybb 1.2.12
mybb mybb 1.6.9
mybb mybb 1.1.2
mybb mybb 1.5.2
mybb mybb 1.4.13
mybb mybb 1.1.3
mybb mybb 1.01
mybb mybb 1.2.4
mybb mybb 1.4.5
mybb mybb 1.03
mybb mybb 1.4.10
mybb mybb 1.4.16
mybb mybb 1.1.4
mybb mybb 1.1.8
mybb mybb 1.6.5
mybb mybb 1.1.7
mybb mybb 1.2.5
mybb mybb 1.2.9
mybb mybb 1.00
mybb mybb 1.4.1
mybb mybb 1.4.11
mybb mybb 1.2.13
mybb mybb 1.02
CVE-2014-1840 MEDIUM

Cross-site scripting (XSS) vulnerability in Upload/search.php in MyBB 1.6.12 and earlier allows remote attackers to inject arbitrary web script or HTML via the keywords parameter in a do_search action, which is not properly handled in a forced SQL error message.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
mybb mybb 1.6.2
mybb mybb 1.6.8
mybb mybb 1.6.11
mybb mybb 1.6.1
mybb mybb 1.6.7
mybb mybb 1.6.10
mybb mybb 1.6.4
mybb mybb 1.6.5
mybb mybb 1.6.9
mybb mybb 1.6.6
mybb mybb 1.6.0
mybb mybb 1.6.3
mybb mybb *
CVE-2014-3826 LOW

Cross-site scripting (XSS) vulnerability in MyBB before 1.6.13 allows remote authenticated users to inject arbitrary web script or HTML via the name parameter in the edit action of the config-profile_fields module.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
mybb mybb *
CVE-2014-3827 LOW

Multiple cross-site scripting (XSS) vulnerabilities in the MyBB (aka MyBulletinBoard) before 1.8.4 allow remote authenticated users to inject arbitrary web script or HTML via the title parameter in the (1) edit or (2) add action in the user-users module or the (3) finduser action or the name parameter in an (4) edit action in the user-user module or the (5) editprofile action to modcp.php.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
mybb mybb *
CVE-2014-5248 MEDIUM

Cross-site scripting (XSS) vulnerability in MyBB before 1.6.15 allows remote attackers to inject arbitrary web script or HTML via vectors related to video MyCode.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
mybb mybb 1.6.2
mybb mybb 1.6.8
mybb mybb 1.6.11
mybb mybb 1.6.1
mybb mybb 1.6.7
mybb mybb 1.6.10
mybb mybb 1.6.4
mybb mybb 1.6.5
mybb mybb 1.6.9
mybb mybb 1.6.12
mybb mybb 1.6.13
mybb mybb 1.6.6
mybb mybb 1.6.0
mybb mybb 1.6.3
mybb mybb *
CVE-2014-9240 HIGH

SQL injection vulnerability in member.php in MyBB (aka MyBulletinBoard) 1.8.x before 1.8.2 allows remote attackers to execute arbitrary SQL commands via the question_id parameter in a do_register action.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-89,

Products Affected

Vendor Product Version
mybb mybb 1.8.0
mybb mybb 1.8.1
CVE-2014-9241 MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in MyBB (aka MyBulletinBoard) 1.8.x before 1.8.2 allow remote attackers to inject arbitrary web script or HTML via the (1) type parameter to report.php, (2) signature parameter in a do_editsig action to usercp.php, or (3) title parameter in the style-templates module in an edit_template action or (4) file parameter in the config-languages module in an edit action to admin/index.php.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
mybb mybb 1.8.0
mybb mybb 1.8.1
CVE-2015-2149 LOW

Multiple cross-site scripting (XSS) vulnerabilities in the administrative backend in MyBB (aka MyBulletinBoard) before 1.8.4 allow remote authenticated users to inject arbitrary web script or HTML via the (1) MIME-type field in an add action in the config-attachment_types module to admin/index.php; (2) title or (3) short description field in an add action in the (a) config-mycode or (b) user-groups module to admin/index.php; (4) title field in an add action in the (c) forum-management or (d) tool-tasks module to admin/index.php; (5) name field in an add_set action in the style-templates module to admin/index.php; (6) title field in an add_template_group action in the style-templates module to admin/index.php; (7) name field in an add action in the config-post_icons module to admin/index.php; (8) "title to assign" field in an add action in the user-titles module to admin/index.php; or (9) username field in the config-banning module to admin/index.php.

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
mybb mybb *
CVE-2015-2332 MEDIUM

Cross-site scripting (XSS) vulnerability in member.php in MyBB (aka MyBulletinBoard) before 1.8.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
mybb mybb *
CVE-2015-2333 MEDIUM

Cross-site scripting (XSS) vulnerability in the MyCode editor in MyBB (aka MyBulletinBoard) before 1.8.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
mybb mybb *
CVE-2015-2334 MEDIUM

Cross-site request forgery (CSRF) vulnerability in the Admin Control Panel (ACP) login in MyBB (aka MyBulletinBoard) before 1.8.4 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,

Products Affected

Vendor Product Version
mybb mybb *
CVE-2015-2335 MEDIUM

A JSON library in MyBB (aka MyBulletinBoard) before 1.8.4 allows remote attackers to obtain the installation path via unknown vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
mybb mybb *
CVE-2015-2352 HIGH

The cache handler in MyBB (aka MyBulletinBoard) before 1.8.4 does not properly check the encoding of input to the var_export function, which allows attackers to have an unspecified impact via unknown vectors.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
mybb mybb *
CVE-2015-2786 HIGH

Unspecified vulnerability in MyBB (aka MyBulletinBoard) before 1.8.4 has unknown attack vectors related to "Group join request notifications sent to wrong group leaders."

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
mybb mybb *
CVE-2015-4552 MEDIUM

Cross-site scripting (XSS) vulnerability in the quick edit function in xmlhttp.php in MyBB (aka MyBulletinBoard) before 1.8.5 allows remote attackers to inject arbitrary web script or HTML via the content of a post.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
mybb mybb *
CVE-2015-8973 HIGH

xmlhttp.php in MyBB (aka MyBulletinBoard) before 1.6.18 and 1.8.x before 1.8.6 and MyBB Merge System before 1.8.6 allows remote attackers to bypass intended access restrictions via vectors related to the forum password.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-284,

Products Affected

Vendor Product Version
mybb merge_system *
mybb mybb 1.8.4
mybb mybb 1.8.5
mybb mybb 1.8.2
mybb mybb 1.8.3
mybb mybb 1.8.0
mybb mybb *
mybb mybb 1.8.1
CVE-2015-8974 HIGH

SQL injection vulnerability in the Group Promotions module in the admin control panel in MyBB (aka MyBulletinBoard) before 1.6.18 and 1.8.x before 1.8.6 and MyBB Merge System before 1.8.6 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-89,

Products Affected

Vendor Product Version
mybb merge_system *
mybb mybb 1.8.4
mybb mybb 1.8.5
mybb mybb 1.8.2
mybb mybb 1.8.3
mybb mybb 1.8.0
mybb mybb *
mybb mybb 1.8.1
CVE-2015-8975 MEDIUM

Cross-site scripting (XSS) vulnerability in the error handler in MyBB (aka MyBulletinBoard) before 1.6.18 and 1.8.x before 1.8.6 and MyBB Merge System before 1.8.6 might allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
mybb merge_system 1.8.5
mybb mybb 1.8.4
mybb mybb 1.8.5
mybb mybb 1.8.2
mybb mybb 1.8.3
mybb mybb 1.8.0
mybb mybb *
mybb mybb 1.8.1
CVE-2015-8976 MEDIUM

Cross-site scripting (XSS) vulnerability in MyBB (aka MyBulletinBoard) before 1.6.18 and 1.8.x before 1.8.6 and MyBB Merge System before 1.8.6 might allow remote attackers to inject arbitrary web script or HTML via vectors related to "old upgrade files."

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
mybb merge_system 1.8.5
mybb mybb 1.8.4
mybb mybb 1.8.5
mybb mybb 1.8.2
mybb mybb 1.8.3
mybb mybb 1.8.0
mybb mybb *
mybb mybb 1.8.1
CVE-2015-8977 MEDIUM

MyBB (aka MyBulletinBoard) before 1.6.18 and 1.8.x before 1.8.6 and MyBB Merge System before 1.8.6 allow remote attackers to obtain the installation path via vectors involving error log files.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-532,

Products Affected

Vendor Product Version
mybb merge_system *
mybb mybb 1.8.4
mybb mybb 1.8.5
mybb mybb 1.8.2
mybb mybb 1.8.3
mybb mybb 1.8.0
mybb mybb *
mybb mybb 1.8.1
CVE-2016-9402 HIGH

SQL injection vulnerability in the moderation tool in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 might allow remote attackers to execute arbitrary SQL commands via unspecified vectors.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-89,

Products Affected

Vendor Product Version
mybb merge_system *
mybb mybb *
CVE-2016-9403 HIGH

newreply.php in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 allows remote attackers to have unspecified impact by leveraging a missing permission check.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-264,

Products Affected

Vendor Product Version
mybb merge_system *
mybb mybb *
CVE-2016-9404 MEDIUM

Cross-site scripting (XSS) vulnerability in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 might allow remote attackers to inject arbitrary web script or HTML via vectors related to login.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
mybb merge_system *
mybb mybb *
CVE-2016-9405 MEDIUM

Cross-site scripting (XSS) vulnerability in member validation in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 might allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
mybb merge_system *
mybb mybb *
CVE-2016-9406 MEDIUM

Cross-site scripting (XSS) vulnerability in the User control panel in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 might allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
mybb merge_system *
mybb mybb *
CVE-2016-9407 MEDIUM

Cross-site scripting (XSS) vulnerability in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 might allow remote attackers to inject arbitrary web script or HTML via vectors involving Mod control panel logs.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
mybb merge_system *
mybb mybb *
CVE-2016-9408 MEDIUM

Cross-site scripting (XSS) vulnerability in the Mod control panel in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 might allow remote attackers to inject arbitrary web script or HTML via vectors involving editing users.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
mybb merge_system *
mybb mybb *
CVE-2016-9409 MEDIUM

Cross-site scripting (XSS) vulnerability in the Admin control panel in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 might allow remote attackers to inject arbitrary web script or HTML via vectors involving pruning logs.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
mybb merge_system *
mybb mybb *
CVE-2016-9410 MEDIUM

MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 might allow remote attackers to obtain sensitive database information via vectors involving templates.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
mybb merge_system *
mybb mybb *
CVE-2016-9411 MEDIUM

The Admin control panel in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 allows remote attackers to obtain the installation path via vectors involving sending mails.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
mybb merge_system *
mybb mybb *
CVE-2016-9412 HIGH

MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 allow attackers to have unspecified impact via vectors related to low adminsid and sid entropy.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-284,

Products Affected

Vendor Product Version
mybb merge_system *
mybb mybb *
CVE-2016-9413 MEDIUM

The Admin control panel in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 allows remote attackers to conduct clickjacking attacks via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-284,

Products Affected

Vendor Product Version
mybb merge_system *
mybb mybb *
CVE-2016-9414 MEDIUM

MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 allow remote attackers to obtain sensitive information by leveraging missing directory listing protection in upload directories.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
mybb merge_system *
mybb mybb *
CVE-2016-9415 MEDIUM

MyBB (aka MyBulletinBoard) before 1.8.8 on Windows and MyBB Merge System before 1.8.8 on Windows allow remote attackers to overwrite arbitrary CSS files via vectors related to "style import."

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-284,

Products Affected

Vendor Product Version
mybb merge_system *
mybb mybb *
CVE-2016-9416 HIGH

SQL injection vulnerability in the users data handler in MyBB (aka MyBulletinBoard) before 1.8.8 and MyBB Merge System before 1.8.8 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-89,

Products Affected

Vendor Product Version
mybb merge_system *
mybb mybb *
CVE-2016-9417 MEDIUM

The fetch_remote_file function in MyBB (aka MyBulletinBoard) before 1.8.8 and MyBB Merge System before 1.8.8 allows remote attackers to conduct server-side request forgery (SSRF) attacks via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-918,

Products Affected

Vendor Product Version
mybb merge_system *
mybb mybb *
CVE-2016-9418 MEDIUM

MyBB (aka MyBulletinBoard) before 1.8.8 on Windows and MyBB Merge System before 1.8.8 on Windows might allow remote attackers to obtain sensitive information from ACP backups via vectors involving a short name.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
mybb merge_system *
mybb mybb *
CVE-2016-9419 MEDIUM

Cross-site scripting (XSS) vulnerability in the Admin control panel in MyBB (aka MyBulletinBoard) before 1.8.8 and MyBB Merge System before 1.8.8 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
mybb mybb *
CVE-2016-9420 HIGH

MyBB (aka MyBulletinBoard) before 1.8.8 and MyBB Merge System before 1.8.8 allow remote attackers to have unspecified impact via vectors related to "loose comparison false positives."

CVSS 2.0

Severity: HIGH

Problem Type: CWE-20,

Products Affected

Vendor Product Version
mybb merge_system *
mybb mybb *
CVE-2016-9421 MEDIUM

Cross-site scripting (XSS) vulnerability in the Users module in the Admin control panel in MyBB (aka MyBulletinBoard) before 1.8.8 and MyBB Merge System before 1.8.8 might allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
mybb merge_system *
mybb mybb *
CVE-2017-16780 HIGH

The installer in MyBB before 1.8.13 allows remote attackers to execute arbitrary code by writing to the configuration file.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-352,

Products Affected

Vendor Product Version
mybb mybb *
CVE-2017-16781 LOW

The installer in MyBB before 1.8.13 has XSS.

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
mybb mybb *
CVE-2017-7566 MEDIUM

MyBB before 1.8.11 allows remote attackers to bypass an SSRF protection mechanism.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-918,

Products Affected

Vendor Product Version
mybb mybb *
CVE-2017-8103 MEDIUM

In MyBB before 1.8.11, the Email MyCode component allows XSS, as demonstrated by an onmouseover event.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
mybb mybb *
CVE-2017-8104 MEDIUM

In MyBB before 1.8.11, the smilie module allows Directory Traversal via the pathfolder parameter.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-22,

Products Affected

Vendor Product Version
mybb mybb *
CVE-2018-1000502 MEDIUM

MyBB Group MyBB contains a File Inclusion vulnerability in Admin panel (Tools and Maintenance -> Task Manager -> Add New Task) that can result in Allows Local File Inclusion on modern PHP versions and Remote File Inclusion on ancient PHP versions. This attack appear to be exploitable via Must have access to admin panel. This vulnerability appears to have been fixed in 1.8.15.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-829,

Products Affected

Vendor Product Version
mybb mybb *
CVE-2018-1000503 MEDIUM

MyBB Group MyBB contains a Incorrect Access Control vulnerability in Private forums that can result in Users can view posts from private forums without having the password. This attack appear to be exploitable via Subscribe to a forum through IDOR. This vulnerability appears to have been fixed in 1.8.15.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-269,

Products Affected

Vendor Product Version
mybb mybb *
CVE-2018-10678 MEDIUM

MyBB 1.8.15, when accessed with Microsoft Edge, mishandles 'target="_blank" rel="noopener"' in A elements, which makes it easier for remote attackers to conduct redirection attacks.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-601,

Products Affected

Vendor Product Version
mybb mybb 1.8.15
CVE-2018-14392 MEDIUM

The New Threads plugin before 1.2 for MyBB has XSS.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
mybb new_threads *
CVE-2018-14575 MEDIUM

Trash Bin plugin 1.1.3 for MyBB has cross-site scripting (XSS) via a thread subject and a cross-site request forgery (CSRF) via a post subject.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,CWE-352,

Products Affected

Vendor Product Version
mybb trash_bin 1.1.3
CVE-2018-14724 LOW

In the Ban List plugin 1.0 for MyBB, any forum user with mod privileges can ban users and input an XSS payload into the ban reason, which is executed on the bans.php page.

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
mybb ban_list 1.0
CVE-2018-15596 MEDIUM

An issue was discovered in inc/class_feedgeneration.php in MyBB 1.8.17. On the forum RSS Syndication page, one can generate a URL such as http://localhost/syndication.php?fid=&type=atom1.0&limit=15. The thread titles (within title elements of the generated XML documents) aren't sanitized, leading to XSS.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
mybb mybb 1.8.17
CVE-2018-17128 LOW

A Persistent XSS issue was discovered in the Visual Editor in MyBB before 1.8.19 via a Video MyCode.

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
mybb mybb *
CVE-2018-19201 MEDIUM

A reflected XSS vulnerability in the ModCP Profile Editor in MyBB before 1.8.20 allows remote attackers to inject JavaScript via the 'username' parameter.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
mybb mybb *
CVE-2018-19202 MEDIUM

A reflected XSS vulnerability in index.php in MyBB 1.8.x through 1.8.19 allows remote attackers to inject JavaScript via the 'upsetting[bburl]' parameter.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
mybb mybb *
CVE-2018-6844 LOW

MyBB 1.8.14 has XSS via the Title or Description field on the Edit Forum screen.

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
mybb mybb 1.8.14
CVE-2018-7305 MEDIUM

MyBB 1.8.14 is not checking for a valid CSRF token, leading to arbitrary deletion of user accounts.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,

Products Affected

Vendor Product Version
mybb mybb 1.8.14
CVE-2019-12830 LOW

In MyBB before 1.8.21, an attacker can exploit a parsing flaw in the Private Message / Post renderer that leads to [video] BBCode persistent XSS to take over any forum account, aka a nested video MyCode issue.

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
mybb mybb *
CVE-2019-12831 MEDIUM

In MyBB before 1.8.21, an attacker can abuse a default behavior of MySQL on many systems (that leads to truncation of strings that are too long for a database column) to create a PHP shell in the cache directory of a targeted forum via a crafted XML import, as demonstrated by truncation of aaaaaaaaaaaaaaaaaaaaaaaaaa.php.css to aaaaaaaaaaaaaaaaaaaaaaaaaa.php with a 30-character limit, aka theme import stylesheet name RCE.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
mybb mybb *
CVE-2019-20225 MEDIUM

MyBB before 1.8.22 allows an open redirect on login.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-601,

Products Affected

Vendor Product Version
mybb mybb *
CVE-2019-3578 MEDIUM

MyBB 1.8.19 has XSS in the resetpassword function.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
mybb mybb 1.8.19
mybb mybb 1.18.19
CVE-2019-3579 MEDIUM

MyBB 1.8.19 allows remote attackers to obtain sensitive information because it discloses the username upon receiving a password-reset request that lacks the code parameter.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
mybb mybb 1.8.19
mybb mybb 1.18.19
CVE-2020-15139 MEDIUM

In MyBB before version 1.8.24, the custom MyCode (BBCode) for the visual editor doesn't escape input properly when rendering HTML, resulting in a DOM-based XSS vulnerability. The weakness can be exploited by pointing a victim to a page where the visual editor is active (e.g. as a post or Private Message) and operates on a maliciously crafted MyCode message. This may occur on pages where message content is pre-filled using a GET/POST parameter, or on reply pages where a previously saved malicious message is quoted. After upgrading MyBB to 1.8.24, make sure to update the version attribute in the `codebuttons` template for non-default themes to serve the latest version of the patched `jscripts/bbcodes_sceditor.js` file.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7
security-advisories@github.com 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,CWE-79,

Products Affected

Vendor Product Version
mybb mybb *
CVE-2020-19048 LOW

Cross Site Scripting (XSS) in MyBB v1.8.20 allows remote attackers to inject arbitrary web script or HTML via the "Title" field found in the "Add New Forum" page by doing an authenticated POST HTTP request to '/Upload/admin/index.php?module=forum-management&action=add'.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
mybb mybb 1.8.20
CVE-2020-19049 LOW

Cross Site Scripting (XSS) in MyBB v1.8.20 allows remote attackers to inject arbitrary web script or HTML via the "Description" field found in the "Add New Forum" page by doing an authenticated POST HTTP request to '/Upload/admin/index.php?module=forum-management&action=add'.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
mybb mybb 1.8.20
CVE-2020-22612

Installer RCE on settings file write in MyBB before 1.8.22.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
mybb mybb *
CVE-2021-27279 LOW

MyBB before 1.8.25 allows stored XSS via nested [email] tags with MyCode (aka BBCode).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
mybb mybb *
CVE-2021-27889 MEDIUM

Cross-site Scripting (XSS) vulnerability in MyBB before 1.8.26 via Nested Auto URL when parsing messages.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
mybb mybb *
CVE-2021-27890 MEDIUM

SQL Injection vulnerablity in MyBB before 1.8.26 via theme properties included in theme XML files.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-89,

Products Affected

Vendor Product Version
mybb mybb *
CVE-2021-27946 MEDIUM

SQL Injection vulnerability in MyBB before 1.8.26 via poll vote count. (issue 1 of 3).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-89,

Products Affected

Vendor Product Version
mybb mybb *
CVE-2021-27947 MEDIUM

SQL Injection vulnerability in MyBB before 1.8.26 via the Copy Forum feature in Forum Management. (issue 2 of 3).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.2 HIGH CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 1.2 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-89,

Products Affected

Vendor Product Version
mybb mybb *
CVE-2021-27948 MEDIUM

SQL Injection vulnerability in MyBB before 1.8.26 via User Groups. (issue 3 of 3).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.2 HIGH CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 1.2 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-89,

Products Affected

Vendor Product Version
mybb mybb *
CVE-2021-27949 MEDIUM

Cross-site Scripting vulnerability in MyBB before 1.8.26 via Custom moderator tools.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
mybb mybb *
CVE-2021-41866 LOW

MyBB before 1.8.28 allows stored XSS because the displayed Template Name value in the Admin CP's theme management is not escaped properly.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
mybb mybb *
CVE-2021-43281 MEDIUM

MyBB before 1.8.29 allows Remote Code Injection by an admin with the "Can manage settings?" permission. The Admin CP's Settings management module does not validate setting types correctly on insertion and update, making it possible to add settings of supported type "php" with PHP code, executed on Change Settings pages.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.2 HIGH CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 1.2 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-94,

Products Affected

Vendor Product Version
mybb mybb *
CVE-2022-24734 MEDIUM

MyBB is a free and open source forum software. In affected versions the Admin CP's Settings management module does not validate setting types correctly on insertion and update, making it possible to add settings of supported type `php` with PHP code, executed on on _Change Settings_ pages. This results in a Remote Code Execution (RCE) vulnerability. The vulnerable module requires Admin CP access with the `Can manage settings?` permission. MyBB's Settings module, which allows administrators to add, edit, and delete non-default settings, stores setting data in an options code string ($options_code; mybb_settings.optionscode database column) that identifies the setting type and its options, separated by a new line character (\n). In MyBB 1.2.0, support for setting type php was added, for which the remaining part of the options code is PHP code executed on Change Settings pages (reserved for plugins and internal use). MyBB 1.8.30 resolves this issue. There are no known workarounds.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.2 HIGH CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 1.2 5.9
security-advisories@github.com 7.2 HIGH CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 1.2 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-94,CWE-94,

Products Affected

Vendor Product Version
mybb mybb *
CVE-2022-28354

In the Active Threads Plugin 1.3.0 for MyBB, the activethreads.php date parameter is vulnerable to XSS when setting a time period.

Products Affected

Vendor Product Version
mybb active_threads 1.3.0
CVE-2022-39265

MyBB is a free and open source forum software. The _Mail Settings_ → Additional Parameters for PHP's mail() function mail_parameters setting value, in connection with the configured mail program's options and behavior, may allow access to sensitive information and Remote Code Execution (RCE). The vulnerable module requires Admin CP access with the `_Can manage settings?_` permission and may depend on configured file permissions. MyBB 1.8.31 resolves this issue with the commit `0cd318136a`. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 7.2 HIGH CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 1.2 5.9
nvd@nist.gov 7.2 HIGH CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 1.2 5.9

Products Affected

Vendor Product Version
mybb mybb *
CVE-2022-43707

MyBB 1.8.31 has a Cross-site scripting (XSS) vulnerability in the visual MyCode editor (SCEditor) allows remote attackers to inject HTML via user input or stored data

Products Affected

Vendor Product Version
mybb mybb *
CVE-2022-43708

MyBB 1.8.31 has a (issue 2 of 2) cross-site scripting (XSS) vulnerabilities in the post Attachments interface allow attackers to inject HTML by persuading the user to upload a file with specially crafted name

Products Affected

Vendor Product Version
mybb mybb *
CVE-2022-43709

MyBB 1.8.31 has a SQL injection vulnerability in the Admin CP's Users module allows remote authenticated users to modify the query string via direct user input or stored search filter settings.

Products Affected

Vendor Product Version
mybb mybb *
CVE-2022-45867

MyBB before 1.8.33 allows Directory Traversal. The Admin CP Languages module allows remote authenticated users, with high privileges, to achieve local file inclusion and execution.

Products Affected

Vendor Product Version
mybb mybb *
CVE-2023-28467

In MyBB before 1.8.34, there is XSS in the User CP module via the user email field.

Products Affected

Vendor Product Version
mybb mybb *
CVE-2023-41362

MyBB before 1.8.36 allows Code Injection by users with certain high privileges. Templates in Admin CP intentionally use eval, and there was some validation of the input to eval, but type juggling interfered with this when using PCRE within PHP.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.2 HIGH CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 1.2 5.9

Products Affected

Vendor Product Version
mybb mybb *
CVE-2023-45556

Cross Site Scripting vulnerability in Mybb Mybb Forums v.1.8.33 allows a local attacker to execute arbitrary code via the theme Name parameter in the theme management component.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7

Products Affected

Vendor Product Version
mybb mybb *
CVE-2023-46251

MyBB is a free and open source forum software. Custom MyCode (BBCode) for the visual editor (_SCEditor_) doesn't escape input properly when rendering HTML, resulting in a DOM-based XSS vulnerability. This weakness can be exploited by pointing a victim to a page where the visual editor is active (e.g. as a post or Private Message) and operates on a maliciously crafted MyCode message. This may occur on pages where message content is pre-filled using a GET/POST parameter, or on reply pages where a previously saved malicious message is quoted. The impact is be mitigated when: 1. the visual editor is disabled globally (_Admin CP → Configuration → Settings → Clickable Smilies and BB Code: [Clickable MyCode Editor](https://github.com/mybb/mybb/blob/mybb_1836/install/resources/settings.xml#L2087-L2094)_ is set to _Off_), or 2. the visual editor is disabled for individual user accounts (_User CP → Your Profile → Edit Options_: _Show the MyCode formatting options on the posting pages_ checkbox is not checked). MyBB 1.8.37 resolves this issue with the commit `6dcaf0b4d`. Users are advised to upgrade. Users unable to upgrade may mitigate the impact without upgrading MyBB by changing the following setting (_Admin CP → Configuration → Settings_): - _Clickable Smilies and BB Code → [Clickable MyCode Editor](https://github.com/mybb/mybb/blob/mybb_1836/install/resources/settings.xml#L2087-L2094)_: _Off_. Similarly, individual MyBB forum users are able to disable the visual editor by diabling the account option (_User CP → Your Profile → Edit Options_) _Show the MyCode formatting options on the posting pages_.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 7.5 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H 1.6 5.9
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

Products Affected

Vendor Product Version
mybb mybb *
CVE-2023-53976

myBB Forums 1.8.26 contains a stored cross-site scripting vulnerability in the template management system that allows authenticated administrators to inject malicious scripts when creating new templates. Attackers can exploit this vulnerability by inserting script payloads in the template title field when adding new templates through the 'Templates and Style' > 'Templates' > 'Manage Templates' > 'Global Templates' interface, causing arbitrary JavaScript to execute when the template is viewed.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
disclosure@vulncheck.com 6.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N 3.1 2.7

Products Affected

Vendor Product Version
mybb mybb 1.8.26
CVE-2023-53977

myBB Forums 1.8.26 contains a stored cross-site scripting vulnerability in the forum management system that allows authenticated administrators to inject malicious scripts when creating new forums. Attackers can exploit this vulnerability by inserting script payloads in the forum title field when adding new forums through the 'Forums and Posts' > 'Forum Management' interface, causing arbitrary JavaScript to execute when the forum listing is viewed.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
disclosure@vulncheck.com 6.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N 3.1 2.7

Products Affected

Vendor Product Version
mybb mybb 1.8.26
CVE-2023-53978

myBB Forums 1.8.26 contains a stored cross-site scripting vulnerability in the forum announcement system that allows authenticated administrators to inject malicious scripts when creating announcements. Attackers can exploit this vulnerability by inserting script payloads in the announcement title field when adding announcements through the 'Forums and Posts' > 'Forum Announcements' interface, causing arbitrary JavaScript to execute when the announcement is displayed on the forum.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
disclosure@vulncheck.com 6.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N 3.1 2.7

Products Affected

Vendor Product Version
mybb mybb 1.8.26
CVE-2023-53979

MyBB 1.8.32 contains a chained vulnerability that allows authenticated administrators to bypass avatar upload restrictions and execute arbitrary code. Attackers can modify upload path settings, upload a malicious PHP-embedded image file, and execute commands through the language configuration editing interface.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
disclosure@vulncheck.com 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

Products Affected

Vendor Product Version
mybb mybb 1.8.32
CVE-2024-23335

MyBB is a free and open source forum software. The backup management module of the Admin CP may accept `.htaccess` as the name of the backup file to be deleted, which may expose the stored backup files over HTTP on Apache servers. MyBB 1.8.38 resolves this issue. Users are advised to upgrade. There are no known workarounds for this vulnerability

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 4.7 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L 1.2 3.4

Products Affected

Vendor Product Version
mybb mybb *
CVE-2024-23336

MyBB is a free and open source forum software. The default list of disallowed remote hosts does not contain the `127.0.0.0/8` block, which may result in a Server-Side Request Forgery (SSRF) vulnerability. The Configuration File's _Disallowed Remote Addresses_ list (`$config['disallowed_remote_addresses']`) contains the address `127.0.0.1`, but does not include the complete block `127.0.0.0/8`. MyBB 1.8.38 resolves this issue in default installations. Administrators of installed boards should update the existing configuration (`inc/config.php`) to include all addresses blocked by default. Additionally, users are advised to verify that it includes any other IPv4 addresses resolving to the server and other internal resources. Users unable to upgrade may manually add 127.0.0.0/8' to their disallowed address list.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 5.0 MEDIUM CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L 1.6 3.4

Products Affected

Vendor Product Version
mybb mybb *
CVE-2024-52702

A stored cross-site scripting (XSS) vulnerability in the component install\index.php of MyBB v1.8.38 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Website Name parameter. NOTE: this is disputed by the Supplier because Website Name can only be set by an administrator, who may use JavaScript if they wish.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7

Products Affected

Vendor Product Version
mybb mybb 1.8.38
CVE-2025-29457

An issue in MyBB 1.8.38 allows a remote attacker to obtain sensitive information via the Import a Theme function. NOTE: the Supplier disputes this because of the allowed actions of Board administrators and because of SSRF mitigation.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 7.6 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L 2.8 4.7

Products Affected

Vendor Product Version
mybb mybb 1.8.38
CVE-2025-29458

An issue in MyBB 1.8.38 allows a remote attacker to obtain sensitive information via the Change Avatar function. NOTE: the Supplier disputes this because of the allowed actions of Board administrators and because of SSRF mitigation.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 7.6 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L 2.8 4.7

Products Affected

Vendor Product Version
mybb mybb 1.8.38
CVE-2025-29459

An issue in MyBB 1.8.38 allows a remote attacker to obtain sensitive information via the Mail function. NOTE: the Supplier disputes this because of the allowed actions of Board administrators and because of SSRF mitigation.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 7.6 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L 2.8 4.7

Products Affected

Vendor Product Version
mybb mybb 1.8.38
CVE-2025-29460

An issue in MyBB 1.8.38 allows a remote attacker to obtain sensitive information via the Add Mycode function. NOTE: the Supplier disputes this because of the allowed actions of Board administrators and because of SSRF mitigation.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 7.6 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L 2.8 4.7

Products Affected

Vendor Product Version
mybb mybb 1.8.38
CVE-2025-48940

MyBB is free and open source forum software. Prior to version 1.8.39, the upgrade component does not validate user input properly, which allows attackers to perform local file inclusion (LFI) via a specially crafted parameter value. In order to exploit the vulnerability, the installer must be unlocked (no `install/lock` file present) and the upgrade script must be accessible (by re-installing the forum via access to `install/index.php`; when the forum has not yet been installed; or the attacker is authenticated as a forum administrator). MyBB 1.8.39 resolves this issue.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 7.2 HIGH CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 1.2 5.9

Products Affected

Vendor Product Version
mybb mybb *
CVE-2025-48941

MyBB is free and open source forum software. Prior to version 1.8.39, the search component does not validate permissions correctly, which allows attackers to determine the existence of hidden (draft, unapproved, or soft-deleted) threads containing specified text in the title. The visibility state (`mybb_threads.visible` integer column) of threads is not validated in internal search queries, whose result is used to output a general success or failure of the search. While MyBB validates permissions when displaying the final search results, a search operation that internally produces at least one result outputs a redirect response (as a HTTP redirect, or a success message page with delayed redirect, depending on configuration). On the other hand, a search operation that internally produces no results outputs a corresponding message in the response without a redirect. This allows a user to determine whether threads matching title search parameters exist, including draft threads (`visible` with a value of `-2`), soft-deleted threads (`visible` with a value of `-1`), and unapproved threads (`visible` with a value of `0`); in addition to displaying generally visible threads (`visible` with a value of `1`). This vulnerability does not affect other layers of permissions. In order to exploit the vulnerability, the user must have access to the search functionality, and general access to forums containing the thread(s). The vulnerability does not expose the message content of posts. MyBB 1.8.39 resolves this issue.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

Products Affected

Vendor Product Version
mybb mybb *