MidnightBSD

Advisories for ubbcentral

CVE-2004-1622 HIGH

SQL injection vulnerability in dosearch.php in UBB.threads 3.4.x allows remote attackers to execute arbitrary SQL statements via the Name parameter.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
ubbcentral ubb.threads 3.5
ubbcentral ubb.threads 3.4
CVE-2004-2509 MEDIUM

Cross-site scripting (XSS) vulnerabilities in (1) calendar.php, (2) login.php, and (3) online.php in Infopop UBB.Threads 6.2.3 and 6.5 allow remote attackers to inject arbitrary web script or HTML via the Cat parameter.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
ubbcentral ubb.threads 6.2.3
ubbcentral ubb.threads 6.5
CVE-2004-2510 MEDIUM

Cross-site scripting (XSS) vulnerability in showflat.php in Infopop UBB.Threads before 6.5 allows remote attackers to inject arbitrary web script or HTML via the Cat parameter.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
ubbcentral ubb.threads 6.3.1
ubbcentral ubb.threads 6.2.3
ubbcentral ubb.threads 6.1
ubbcentral ubb.threads 6.4.3
ubbcentral ubb.threads 6.4
ubbcentral ubb.threads 6.0.1
ubbcentral ubb.threads 6.2.1
ubbcentral ubb.threads 6.4.1
ubbcentral ubb.threads 6.0.2
ubbcentral ubb.threads 6.2.2
ubbcentral ubb.threads 6.0.3
ubbcentral ubb.threads 6.4.4
ubbcentral ubb.threads 6.2
ubbcentral ubb.threads 6.3
ubbcentral ubb.threads 6.0
ubbcentral ubb.threads 6.1.1
ubbcentral ubb.threads 6.4.2
CVE-2005-0726 HIGH

SQL injection vulnerability in editpost.php in UBB.threads 6.0 allows remote attackers to execute arbitrary SQL commands via the Number parameter.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
ubbcentral ubb.threads 6.0
CVE-2005-2057 MEDIUM

Multiple cross-site scripting (XSS) vulnerabilities in Infopop UBB.Threads before 6.5.2 Beta allow remote attackers to inject arbitrary web script or HTML via the (1) Searchpage parameter to dosearch.php, (2) Number, (3) what, or (4) page parameter to newreply.php, (5) Number, (6) Board, or (7) what parameter to showprofile.php, (8) fpart or (9) page parameter to showflat.php, or (10) like parameter to showmembers.php.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
ubbcentral ubb.threads 6.3.1
ubbcentral ubb.threads 6.2.3
ubbcentral ubb.threads 6.1
ubbcentral ubb.threads 6.4.3
ubbcentral ubb.threads 6.4
ubbcentral ubb.threads 6.0.1
ubbcentral ubb.threads 6.2.1
ubbcentral ubb.threads 6.4.1
ubbcentral ubb.threads 6.0.2
ubbcentral ubb.threads 6.2.2
ubbcentral ubb.threads 6.0.3
ubbcentral ubb.threads 6.5
ubbcentral ubb.threads 6.5.1
ubbcentral ubb.threads 6.4.4
ubbcentral ubb.threads 6.2
ubbcentral ubb.threads 6.3
ubbcentral ubb.threads 6.0
ubbcentral ubb.threads 6.1.1
ubbcentral ubb.threads 6.4.2
ubbcentral ubb.threads 6.5.1.1
CVE-2005-2058 HIGH

Multiple SQL injection vulnerabilities in Infopop UBB.Threads before 6.5.2 Beta allow remote attackers to execute arbitrary SQL commands via the Number parameter to (1) download.php, (2) modifypost.php, (3) mailthread.php, or (4) notifymod.php, (5) month or (6) year parameter to calendar.php, (7) message parameter to viewmessage.php, (8) main parameter to addfav.php, or (9) posted parameter to grabnext.php.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
ubbcentral ubb.threads 6.3.1
ubbcentral ubb.threads 6.2.3
ubbcentral ubb.threads 6.1
ubbcentral ubb.threads 6.4.3
ubbcentral ubb.threads 6.4
ubbcentral ubb.threads 6.0.1
ubbcentral ubb.threads 6.2.1
ubbcentral ubb.threads 6.4.1
ubbcentral ubb.threads 6.0.2
ubbcentral ubb.threads 6.2.2
ubbcentral ubb.threads 6.0.3
ubbcentral ubb.threads 6.5
ubbcentral ubb.threads 6.5.1
ubbcentral ubb.threads 6.4.4
ubbcentral ubb.threads 6.2
ubbcentral ubb.threads 6.3
ubbcentral ubb.threads 6.0
ubbcentral ubb.threads 6.1.1
ubbcentral ubb.threads 6.4.2
ubbcentral ubb.threads 6.5.1.1
CVE-2005-2059 MEDIUM

Multiple cross-site request forgery (CSRF) vulnerabilities in (1) addaddress.php, (2) toggleignore.php, (3) removeignore.php, and (4) removeaddress.php in Infopop UBB.Threads before 6.5.2 Beta allow remote attackers to modify settings as another user via a link or IMG tag.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,

Products Affected

Vendor Product Version
ubbcentral ubb.threads *
CVE-2005-2060 MEDIUM

Multiple HTTP Response Splitting vulnerabilities in (1) toggleshow.php, (2) togglecats.php, and (3) showprofile.php in Infopop UBB.Threads before 6.5.2 Beta allow remote attackers to spoof web content and poison web caches via CRLF ("%0d%0a") sequences in the Cat parameter.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
ubbcentral ubb.threads 6.3.1
ubbcentral ubb.threads 6.2.3
ubbcentral ubb.threads 6.1
ubbcentral ubb.threads 6.4.3
ubbcentral ubb.threads 6.4
ubbcentral ubb.threads 6.0.1
ubbcentral ubb.threads 6.2.1
ubbcentral ubb.threads 6.4.1
ubbcentral ubb.threads 6.0.2
ubbcentral ubb.threads 6.2.2
ubbcentral ubb.threads 6.0.3
ubbcentral ubb.threads 6.5
ubbcentral ubb.threads 6.5.1
ubbcentral ubb.threads 6.4.4
ubbcentral ubb.threads 6.2
ubbcentral ubb.threads 6.3
ubbcentral ubb.threads 6.0
ubbcentral ubb.threads 6.1.1
ubbcentral ubb.threads 6.4.2
ubbcentral ubb.threads 6.5.1.1
CVE-2005-2061 MEDIUM

Infopop UBB.Threads before 6.5.2 Beta allows remote attackers to include arbitrary files via the language parameter in a cookie followed by a null (%00) byte.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
ubbcentral ubb.threads 6.3.1
ubbcentral ubb.threads 6.2.3
ubbcentral ubb.threads 6.1
ubbcentral ubb.threads 6.4.3
ubbcentral ubb.threads 6.4
ubbcentral ubb.threads 6.0.1
ubbcentral ubb.threads 6.2.1
ubbcentral ubb.threads 6.4.1
ubbcentral ubb.threads 6.0.2
ubbcentral ubb.threads 6.2.2
ubbcentral ubb.threads 6.0.3
ubbcentral ubb.threads 6.5
ubbcentral ubb.threads 6.5.1
ubbcentral ubb.threads 6.4.4
ubbcentral ubb.threads 6.2
ubbcentral ubb.threads 6.3
ubbcentral ubb.threads 6.0
ubbcentral ubb.threads 6.1.1
ubbcentral ubb.threads 6.4.2
ubbcentral ubb.threads 6.5.1.1
CVE-2006-0545 HIGH

SQL injection vulnerability in showflat.php in Groupee (formerly known as Infopop) UBB.threads 6.3 and earlier allows remote attackers to execute arbitrary SQL commands via the Number parameter.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
ubbcentral ubb.threads 6.0.3
ubbcentral ubb.threads 6.2.3
ubbcentral ubb.threads 6.1
ubbcentral ubb.threads 6.2
ubbcentral ubb.threads 6.3
ubbcentral ubb.threads 6.0.1
ubbcentral ubb.threads 6.2.1
ubbcentral ubb.threads 6.0
ubbcentral ubb.threads 6.1.1
ubbcentral ubb.threads 6.0.2
ubbcentral ubb.threads 6.2.2
CVE-2006-1423 MEDIUM

SQL injection vulnerability in showflat.php in UBB.threads 5.5.1, 6.0 br5, 6.0.1, 6.0.2, and earlier, allows remote attackers to execute arbitrary SQL commands via the Number parameter.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-89,

Products Affected

Vendor Product Version
ubbcentral ubb.threads 6.0.1
ubbcentral ubb.threads 5.5.1
ubbcentral ubb.threads 6.0
ubbcentral ubb.threads 6.0.2
CVE-2006-2568 MEDIUM

PHP remote file inclusion vulnerability in addpost_newpoll.php in UBB.threads 6.4 through 6.5.2 and 6.5.1.1 (trial) allows remote attackers to execute arbitrary PHP code via a URL in the thispath parameter.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
ubbcentral ubb.threads 6.4.3
ubbcentral ubb.threads 6.5
ubbcentral ubb.threads 6.4
ubbcentral ubb.threads 6.5.1
ubbcentral ubb.threads 6.4.4
ubbcentral ubb.threads 6.4.2
ubbcentral ubb.threads 6.4.1
ubbcentral ubb.threads 6.5.2
ubbcentral ubb.threads 6.5.1.1
CVE-2006-2675 MEDIUM

PHP remote file inclusion vulnerability in ubbt.inc.php in UBBThreads 5.x and 6.x allows remote attackers to execute arbitrary PHP code via a URL in the (1) thispath or (2) configdir parameters.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
ubbcentral ubb.threads 6.1
ubbcentral ubb.threads 6.4.3
ubbcentral ubb.threads 3.5
ubbcentral ubb.threads 3.4
ubbcentral ubb.threads *
ubbcentral ubb.threads 6.2.1
ubbcentral ubb.threads 5.0
ubbcentral ubb.threads 6.0.2
ubbcentral ubb.threads 6.0.3
ubbcentral ubb.threads 6.5
ubbcentral ubb.threads 6.5.1
ubbcentral ubb.threads 6.4.4
ubbcentral ubb.threads 6.0
ubbcentral ubb.threads 6.1.1
ubbcentral ubb.threads 6.4.2
ubbcentral ubb.threads 6.5.2
ubbcentral ubb.threads 6.3.1
ubbcentral ubb.threads 6.2.3
ubbcentral ubb.threads 6.4
ubbcentral ubb.threads 6.0.1
ubbcentral ubb.threads 6.5.2_beta2
ubbcentral ubb.threads 6.4.1
ubbcentral ubb.threads 6.2.2
ubbcentral ubb.threads 6.2
ubbcentral ubb.threads 6.3
ubbcentral ubb.threads 5.5.1
ubbcentral ubb.threads 6.5.1.1
CVE-2006-2755 MEDIUM

Cross-site scripting (XSS) vulnerability in index.php in UBBThreads 5.x and earlier allows remote attackers to inject arbitrary web script or HTML via the debug parameter, as demonstrated by stealing MD5 hashes of passwords.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
ubbcentral ubb.threads 6.1
ubbcentral ubb.threads 6.4.3
ubbcentral ubb.threads 6.5.3
ubbcentral ubb.threads 6.2.1
ubbcentral ubb.threads 5.0
ubbcentral ubb.threads 6.0.2
ubbcentral ubb.threads 6.0.3
ubbcentral ubb.threads 6.5
ubbcentral ubb.threads 6.5.1
ubbcentral ubb.threads 6.4.4
ubbcentral ubb.threads 6.0
ubbcentral ubb.threads 6.1.1
ubbcentral ubb.threads 6.4.2
ubbcentral ubb.threads 6.5.2
ubbcentral ubb.threads 6.3.1
ubbcentral ubb.threads 6.2.3
ubbcentral ubb.threads 6.4
ubbcentral ubb.threads 6.0.1
ubbcentral ubb.threads 6.5.2_beta2
ubbcentral ubb.threads 6.4.1
ubbcentral ubb.threads 6.2.2
ubbcentral ubb.threads 6.2
ubbcentral ubb.threads 6.3
ubbcentral ubb.threads 5.5.1
ubbcentral ubb.threads 6.5.1.1