MidnightBSD

Advisories for punbb

CVE-2005-0569 HIGH

Multiple SQL injection vulnerabilities in PunBB 1.2.1 allow remote attackers to execute arbitrary SQL commands via the (1) language parameter to register.php, (2) change email feature in profile.php, (3) posts or (4) topics parameter to moderate.php.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
punbb punbb 1.2.1
CVE-2005-0570 MEDIUM

profile.php in PunBB 1.2.1 allows remote attackers to cause a denial of service (account lockout) by setting the user's password to NULL.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
punbb punbb 1.2.1
CVE-2005-0571 MEDIUM

admin_loader.php in PunBB 1.2.1 allows remote attackers to read arbitrary files via the plugin parameter.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
punbb punbb 1.2.1
CVE-2005-0818 MEDIUM

Cross-site scripting (XSS) vulnerability in PunBB 1.2.3 allows remote attackers to inject arbitrary web script or HTML via the (1) email or (2) Jabber parameters.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
punbb punbb 1.2.3
CVE-2005-1051 MEDIUM

SQL injection vulnerability in profile.php in PunBB 1.2.4 allows remote authenticated users to execute arbitrary SQL commands via the id parameter in a change_email action.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
punbb punbb 1.2.3
punbb punbb 1.2.2
punbb punbb 1.0_alpha
punbb punbb 1.1.4
punbb punbb 1.0_beta1
punbb punbb 1.1.2
punbb punbb 1.1.5
punbb punbb 1.0.1
punbb punbb 1.0_beta2
punbb punbb 1.0_rc1
punbb punbb 1.1
punbb punbb 1.2.1
punbb punbb 1.2.4
punbb punbb 1.0_beta3
punbb punbb 1.1.1
punbb punbb 1.1.3
punbb punbb 1.0
punbb punbb 1.0_rc2
CVE-2005-1072 MEDIUM

Cross-site scripting (XSS) vulnerability in PunBB before 1.2.5 allows remote attackers to inject arbitrary web script or HTML.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
punbb punbb 1.2.3
punbb punbb 1.2.2
punbb punbb 1.0_alpha
punbb punbb 1.1.4
punbb punbb 1.0_beta1
punbb punbb 1.1.2
punbb punbb 1.1.5
punbb punbb 1.0.1
punbb punbb 1.0_beta2
punbb punbb 1.0_rc1
punbb punbb 1.1
punbb punbb 1.2.1
punbb punbb 1.2.4
punbb punbb 1.0_beta3
punbb punbb 1.1.1
punbb punbb 1.1.3
punbb punbb 1.0
punbb punbb 1.0_rc2
CVE-2005-2193 HIGH

SQL injection vulnerability in the user profile edit module in profile.php for PunBB 1.2.5 and earlier allows remote attackers to execute arbitrary SQL statements via the temp array, which is not initialized before it is used and prevents the attacker-supplied portions of the array from being properly escaped.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
punbb punbb 1.2.3
punbb punbb 1.2.2
punbb punbb 1.0_alpha
punbb punbb 1.1.4
punbb punbb 1.0_beta1
punbb punbb 1.1.2
punbb punbb 1.1.5
punbb punbb 1.0.1
punbb punbb 1.0_beta2
punbb punbb 1.0_rc1
punbb punbb 1.1
punbb punbb 1.2.1
punbb punbb 1.2.4
punbb punbb 1.0_beta3
punbb punbb 1.1.1
punbb punbb 1.1.3
punbb punbb 1.0
punbb punbb 1.0_rc2
CVE-2005-3078 MEDIUM

Cross-site scripting (XSS) vulnerability in PunBB before 1.2.8 allows remote attackers to inject arbitrary web script or HTML via the "forgotten e-mail" feature.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
punbb punbb 1.2.3
punbb punbb 1.2.2
punbb punbb 1.0_alpha
punbb punbb 1.1.4
punbb punbb 1.0_beta1
punbb punbb 1.0_beta1a
punbb punbb 1.1.2
punbb punbb 1.2
punbb punbb 1.2.7
punbb punbb 1.1.5
punbb punbb 1.0.1
punbb punbb 1.0_beta2
punbb punbb 1.0_rc1
punbb punbb 1.1
punbb punbb 1.2.1
punbb punbb 1.2.4
punbb punbb 1.0_beta3
punbb punbb 1.2.5
punbb punbb 1.2.6
punbb punbb 1.1.1
punbb punbb 1.1.3
punbb punbb 1.0
punbb punbb 1.0_rc2
CVE-2005-3079 MEDIUM

PunBB before 1.2.8 allows remote attackers to perform "code inclusion" via the user language selection.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
punbb punbb 1.2.3
punbb punbb 1.2.2
punbb punbb 1.0_alpha
punbb punbb 1.1.4
punbb punbb 1.0_beta1
punbb punbb 1.0_beta1a
punbb punbb 1.1.2
punbb punbb 1.2
punbb punbb 1.2.7
punbb punbb 1.1.5
punbb punbb 1.0.1
punbb punbb 1.0_beta2
punbb punbb 1.0_rc1
punbb punbb 1.1
punbb punbb 1.2.1
punbb punbb 1.2.4
punbb punbb 1.0_beta3
punbb punbb 1.2.5
punbb punbb 1.2.6
punbb punbb 1.1.1
punbb punbb 1.1.3
punbb punbb 1.0
punbb punbb 1.0_rc2
CVE-2005-3328 HIGH

PHP remote file inclusion vulnerability in common.php in PunBB 1.1.2 through 1.1.5 allows remote attackers to execute arbitrary code via the pun_root parameter.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
punbb punbb 1.1.2
punbb punbb 1.1.5
punbb punbb 1.1.4
punbb punbb 1.1.3
CVE-2005-3518 HIGH

SQL injection vulnerability in search.php in PunBB 1.2.7 and 1.2.8 allows remote attackers to execute arbitrary SQL commands via the old_searches parameter.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
punbb punbb 1.2.8
punbb punbb 1.2.7
CVE-2005-4665 MEDIUM

Cross-site scripting (XSS) vulnerability in PunBB 1.2.6 and earlier allows remote attackers to inject arbitrary web script or HTML via Javascript contained in nested, malformed BBcode url tags.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
punbb punbb 1.2.3
punbb punbb 1.2.2
punbb punbb 1.0_alpha
punbb punbb 1.1.4
punbb punbb 1.0_beta1
punbb punbb 1.1.2
punbb punbb 1.1.5
punbb punbb 1.0.1
punbb punbb 1.0_beta2
punbb punbb 1.0_rc1
punbb punbb 1.1
punbb punbb 1.2.1
punbb punbb 1.2.4
punbb punbb 1.0_beta3
punbb punbb 1.2.5
punbb punbb 1.2.6
punbb punbb 1.1.1
punbb punbb 1.1.3
punbb punbb 1.0
punbb punbb 1.0_rc2
CVE-2005-4686 MEDIUM

PunBB 1.2.9, when used alone or with F-ART BLOG:CMS, includes config.php before calling the unregister_globals function, which allows attackers to obtain unspecified sensitive information.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
punbb punbb 1.2.8
punbb punbb 1.2.3
punbb punbb 1.2.7
punbb punbb 1.2.2
punbb punbb 1.2.1
punbb punbb 1.2.4
punbb punbb 1.2.5
punbb punbb 1.2.6
punbb punbb 1.2.9
CVE-2005-4687 MEDIUM

PunBB 1.2.9, used alone or with F-ART BLOG:CMS, may trust a client's IP address as specified in the X-Forwarded-For HTTP header rather than the TCP/IP stack, which allows remote attackers to misrepresent their IP address by sending a modified header.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
f-art_agency blog_cms 4.0.0c
punbb punbb 1.2.3
f-art_agency blog_cms 3.0
punbb punbb 1.2.2
f-art_agency blog_cms 4.0.0
f-art_agency blog_cms 3.6.2
punbb punbb 1.2.9
f-art_agency blog_cms 4.0.0d
f-art_agency blog_cms 3.1.3
punbb punbb 1.2.8
punbb punbb 1.2.7
f-art_agency blog_cms 3.1.2
f-art_agency blog_cms 3.1.4
f-art_agency blog_cms 3.1
punbb punbb 1.2.1
punbb punbb 1.2.4
f-art_agency blog_cms 4.0.0a
punbb punbb 1.2.5
punbb punbb 1.2.6
f-art_agency blog_cms 4.0.0b
f-art_agency blog_cms 3.6.4
CVE-2005-4688 MEDIUM

PunBB 1.2.9 does not require password entry when changing the e-mail address in an account's profile, which might allow an attacker to make an address change via a hijacked login session.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
punbb punbb 1.2.9
CVE-2006-0865 MEDIUM

PunBB 1.2.10 and earlier allows remote attackers to cause a denial of service (resource consumption) by registering many user accounts quickly.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
punbb punbb 1.2.3
punbb punbb 1.2.2
punbb punbb 1.0_alpha
punbb punbb 1.2.9
punbb punbb 1.0_beta1
punbb punbb 1.2.8
punbb punbb 1.1.2
punbb punbb 1.2.7
punbb punbb 1.0.1
punbb punbb 1.0_beta2
punbb punbb 1.2.4
punbb punbb 1.0_beta3
punbb punbb 1.2.5
punbb punbb 1.1.1
punbb punbb 1.1.3
punbb punbb 1.0
punbb punbb 1.2.10
punbb punbb 1.1.4
punbb punbb 1.0_beta1a
punbb punbb 1.2
punbb punbb 1.1.5
punbb punbb 1.0_rc1
punbb punbb 1.1
punbb punbb 1.2.1
punbb punbb 1.2.6
punbb punbb 1.0_rc2
CVE-2006-0866 MEDIUM

PunBB 1.2.10 and earlier allows remote attackers to conduct brute force guessing attacks for an account's password, which may be as short as 4 characters.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
punbb punbb 1.2.3
punbb punbb 1.2.2
punbb punbb 1.0_alpha
punbb punbb 1.2.9
punbb punbb 1.0_beta1
punbb punbb 1.2.8
punbb punbb 1.1.2
punbb punbb 1.2.7
punbb punbb 1.0.1
punbb punbb 1.0_beta2
punbb punbb 1.2.4
punbb punbb 1.0_beta3
punbb punbb 1.2.5
punbb punbb 1.1.1
punbb punbb 1.1.3
punbb punbb 1.0
punbb punbb 1.2.10
punbb punbb 1.1.4
punbb punbb 1.0_beta1a
punbb punbb 1.2
punbb punbb 1.1.5
punbb punbb 1.0_rc1
punbb punbb 1.1
punbb punbb 1.2.1
punbb punbb 1.2.6
punbb punbb 1.0_rc2
CVE-2006-1089 MEDIUM

Cross-site scripting (XSS) vulnerability in header.php in PunBB 1.2.10 allows remote attackers to inject arbitrary web script or HTML via the URL, which is not properly handled when the PHP_SELF variable is used to handle a pun_page tag.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
punbb punbb 1.2.3
punbb punbb 1.2.2
punbb punbb 1.0_alpha
punbb punbb 1.2.9
punbb punbb 1.0_beta1
punbb punbb 1.2.8
punbb punbb 1.1.2
punbb punbb 1.2.7
punbb punbb 1.0.1
punbb punbb 1.0_beta2
punbb punbb 1.2.4
punbb punbb 1.0_beta3
punbb punbb 1.2.5
punbb punbb 1.1.1
punbb punbb 1.1.3
punbb punbb 1.0
punbb punbb 1.2.10
punbb punbb 1.1.4
punbb punbb 1.0_beta1a
punbb punbb 1.2
punbb punbb 1.1.5
punbb punbb 1.0_rc1
punbb punbb 1.1
punbb punbb 1.2.1
punbb punbb 1.2.6
punbb punbb 1.0_rc2
CVE-2006-1090 HIGH

register.php in PunBB 1.2.10 allows remote attackers to cause an unspecified denial of service via a flood of new user registrations.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
punbb punbb 1.2.10
CVE-2006-2227 MEDIUM

Cross-site scripting (XSS) vulnerability in misc.php in PunBB 1.2.11 allows remote attackers to inject arbitrary web script or HTML via the req_message parameter, because the value of the redirect_url parameter is not sanitized.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
punbb punbb 1.2.11
CVE-2006-2724 MEDIUM

Cross-site scripting (XSS) vulnerability in PunBB 1.2.11 allows remote authenticated administrators to inject arbitrary HTML or web script to other administrators via the "Admin note" feature, a different vulnerability than CVE-2006-2227.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
punbb punbb 1.2.11
CVE-2009-4894 MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in profile.php in PunBB before 1.3.4 allow remote attackers to inject arbitrary web script or HTML via the (1) password or (2) e-mail.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
punbb punbb 1.2.12
punbb punbb 1.2.3
punbb punbb 1.2.2
punbb punbb 1.2.14
punbb punbb 1.2.21
punbb punbb 1.2.9
punbb punbb 1.2.13
punbb punbb 1.3.1
punbb punbb 1.2.8
punbb punbb 1.1.2
punbb punbb 1.2.7
punbb punbb 1.0.1
punbb punbb 1.2.4
punbb punbb 1.2.16
punbb punbb 1.2.5
punbb punbb 1.1.1
punbb punbb 1.1.3
punbb punbb 1.0
punbb punbb 1.2.10
punbb punbb *
punbb punbb 1.2.19
punbb punbb 1.2.11
punbb punbb 1.1.4
punbb punbb 1.3.2
punbb punbb 1.2
punbb punbb 1.1.5
punbb punbb 1.2.20
punbb punbb 1.1
punbb punbb 1.2.1
punbb punbb 1.3
punbb punbb 1.2.17
punbb punbb 1.2.6
punbb punbb 1.2.18
punbb punbb 1.2.15
CVE-2010-0455 MEDIUM

Cross-site scripting (XSS) vulnerability in forum/viewtopic.php in PunBB 1.3 allows remote attackers to inject arbitrary web script or HTML via the pid parameter.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
punbb punbb 1.3
CVE-2011-3371 MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in include/functions.php in PunBB before 1.3.6 allow remote attackers to inject arbitrary web script or HTML via the (1) id, (2) form_sent, (3) csrf_token, (4) req_confirm, or (5) delete parameter to delete.php, the (6) id, (7) form_sent, (8) csrf_token, (9) req_message, or (10) submit parameter to edit.php, the (11) action, (12) form_sent, (13) csrf_token, (14) req_email, or (15) request_pass parameter to login.php, the (16) email, (17) form_sent, (18) redirect_url, (19) csrf_token, (20) req_subject, (21) req_message, or (22) submit parameter to misc.php, the (23) action, (24) id, (25) form_sent, (26) csrf_token, (27) req_old_password, (28) req_new_password1, (29) req_new_password2, or (30) update parameter to profile.php, or the (31) action, (32) form_sent, (33) csrf_token, (34) req_username, (35) req_password1, (36) req_password2, (37) req_email1, (38) timezone, or (39) register parameter to register.php.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
punbb punbb 1.2.12
punbb punbb 1.2.3
punbb punbb 1.2.2
punbb punbb 1.2.23
punbb punbb 1.2.14
punbb punbb 1.2.21
punbb punbb 1.2.9
punbb punbb 1.3.3
punbb punbb 1.2.13
punbb punbb 1.3.1
punbb punbb 1.2.8
punbb punbb 1.1.2
punbb punbb 1.2.7
punbb punbb 1.0.1
punbb punbb 1.2.4
punbb punbb 1.2.16
punbb punbb 1.2.5
punbb punbb 1.1.1
punbb punbb 1.1.3
punbb punbb 1.2.22
punbb punbb 1.0
punbb punbb 1.2.10
punbb punbb *
punbb punbb 1.2.19
punbb punbb 1.2.11
punbb punbb 1.1.4
punbb punbb 1.3.4
punbb punbb 1.3.2
punbb punbb 1.2
punbb punbb 1.1.5
punbb punbb 1.2.20
punbb punbb 1.1
punbb punbb 1.2.1
punbb punbb 1.3
punbb punbb 1.2.17
punbb punbb 1.2.6
punbb punbb 1.2.18
punbb punbb 1.2.15