|
Description
|
|
Multiple vulnerabilities have been identified in MyBB (MyBulletinBoard), which could be exploited by attackers to manipulate certain information, or execute arbitrary SQL commands and scripting code.
The first issue is due to an input validation error when processing posts containing a specially crafted "img" tag, which could be exploited by attackers to delete arbitrary forum posts by tricking an administrator into viewing a malicious post.
The second flaw is due to an input validation error in the "inc/functions_post.php" script that does not validate specially crafted "url" tags, which could be exploited by malicious people to conduct cross site scripting attacks.
The third vulnerability is due to an error in the "archive/global.php" script that does not define the "KILL_GLOBALS" constant, which could be exploited to overwrite certain variables and conduct SQL injection attacks.
The fourth issue is due to an input validation error in the "usercp.php" script that fails to properly validate the "joingroup" parameter before being used in SQL statements, which could be exploited by malicious people to conduct SQL injection attacks and manipulate user groups.
The fifth flaw is due to input validation errors in the "inc/functions_upload.php" and "newreply.php" scripts that fail to properly validate the "posthash" parameter before being used in SQL statements, which could be exploited by malicious people to conduct SQL injection attacks.
The sixth issue is due to an input validation error in the "inc/class_session.php" script that fails to properly validate the "logon[]" parameter before being used in SQL statements, which could be exploited by malicious people to conduct SQL injection attacks.
The seventh vulnerability is due to an input validation error in the "editpost.php" script that fails to properly validate the "icon" parameter before being used in SQL statements, which could be exploited by malicious people to conduct SQL injection attacks.
|
