| Version Addressed | Severity | Description, References, Classification | Reported By |
|---|---|---|---|
|
4 November 2023 |
Medium |
Visual editor size code persistent XSS
[1]
CWE-79
|
Paulos Yibelo (Octagon Networks) |
| Low |
ACP Themes persistent XSS
[1]
CWE-79
|
Or4nG.M4n | |
|
28 August 2023 |
High |
ACP Templates RCE
[1]
[2]
CWE-94
|
Emmet Leahy |
|
21 May 2023 |
Low |
User CP email persistent XSS
[1]
CWE-79
|
Ahmet Altuntaş |
|
3 January 2023 |
High |
ACP Languages local file inclusion
[1]
CWE-22
|
yelang123 (Stealien), NGA (Stealien) |
|
19 November 2022 |
High |
Visual editor persistent XSS
[1]
[2]
CWE-79
|
Aleksey Solovev (Positive Technologies) |
| Medium |
ACP Users SQL injection
[1]
[2]
CWE-89
|
Aleksey Solovev (Positive Technologies) | |
| Low |
Attachment upload XSS
[1]
CWE-79
|
Aleksey Solovev (Positive Technologies) | |
|
4 October 2022 |
Medium |
Mail settings command parameter injection
[1]
CWE-77
|
|
|
9 March 2022 |
High |
ACP Settings management RCE
[1]
CWE-94
|
Cillian Collins / Trend Micro Zero Day Initiative |
|
30 October 2021 |
High |
ACP Settings management RCE
[1]
CWE-94
|
Xiangwen (Evan) Yu |
|
26 October 2021 |
Medium |
ACP Template Name XSS
[1]
CWE-79
|
Andrey Stoykov |
|
10 March 2021 |
High |
Nested Auto URL persistent XSS
[1]
[2]
CWE-79
|
Simon Scannell & Carl Smith |
| Medium |
Theme properties SQL injection
[1]
[2]
CWE-89
|
Simon Scannell & Carl Smith | |
| Medium |
Poll vote count SQL injection
[1]
CWE-89
|
Devilshakerz (MyBB Team) | |
| Medium |
Forum Management SQL injection
[1]
CWE-89
|
Devilshakerz (MyBB Team) | |
| Medium |
Usergroups SQL injection
[1]
CWE-89
|
Devilshakerz (MyBB Team) | |
| Low |
Custom moderator tools reflected XSS
[1]
CWE-79
|
Devilshakerz (MyBB Team) | |
|
22 February 2021 |
High |
Nested Email MyCode Persistent XSS
[1]
CWE-79
|
Igor Sak-Sakovskiy |
|
9 August 2020 |
High |
MyCode message formatting XSS in visual editor
[1]
CWE-79
|
Murphy |
|
17 July 2020 |
Medium |
Anti-CSRF token disclosure in online status location
[1]
CWE-200
|
Mipher |
|
30 December 2019 |
High |
Installer RCE on settings file write
CWE-94
|
yelang123 (Stealien) |
| Medium |
Arbitrary upload paths & Local File Inclusion RCE
CWE-94
|
CNCERT | |
| Medium |
XSS via insufficient HTML sanitization of Blog feed & Extend data
CWE-79
|
Devilshakerz (MyBB Team) | |
| Low |
Open redirect on login
CWE-601
|
Jyoti Raval (Qualys) | |
| Low |
SCEditor reflected XSS
CWE-79
|
Cillian Collins, bl4ckh4ck5 | |
|
10 June 2019 |
High |
Theme import stylesheet name RCE
[1]
CWE-94
|
Simon Scannell and Robin Peraglie (RIPS Technologies) |
| High |
Nested video MyCode persistent XSS
[1]
CWE-79
|
Simon Scannell and Robin Peraglie (RIPS Technologies) | |
| Medium |
Find Orphaned Attachments reflected XSS
CWE-79
|
Simon Scannell (RIPS Technologies) | |
| Medium |
Post edit reflected XSS
CWE-79
|
adm1nkyj (ENKI) | |
| Medium |
Private Messaging folders SQL injection
CWE-89
|
Alex (DiscoveryGC) | |
| Low |
Potential phar deserialization through Upload Path
CWE-502
|
Simon Scannell (RIPS Technologies) | |
|
27 February 2019 |
Medium |
Reset Password reflected XSS
CWE-79
|
|
| Medium |
ModCP Profile Editor username reflected XSS
CWE-79
|
Jovan Zivanovic (MaTRIS Research Group, SBA Research) | |
| Low |
Predictable CSRF token for guest users
CWE-352
|
Devilshakerz (MyBB Team) | |
| Low |
ACP Stylesheet Properties XSS
CWE-79
|
Cillian Collins | |
| Low |
Reset Password username enumeration via email
CWE-200
|
Abdullah Md. Shaleh | |
|
11 September 2018 |
High |
Email field SQL Injection
CWE-89
|
StefanT |
| Medium |
Video MyCode Persistent XSS in Visual Editor
CWE-79
|
Numan OZDEMIR (InfinitumIT) | |
| Low |
Insufficient permission check in User CP's attachment management
CWE-284
|
StefanT | |
| Low |
Insufficient email address verification
CWE-345
|
StefanT | |
|
22 August 2018 |
High |
Image MyCode "alt" attribute persistent XSS
|
Punisher_HF |
| Medium |
RSS Atom 1.0 item title persistent XSS
CWE-79
|
0xB9 | |
|
4 July 2018 |
High |
Image & URL MyCode Persistent XSS
CWE-79
|
Punisher_HF |
| Medium |
Multipage Reflected XSS
CWE-79
|
Dimaz Arno (Ethic Ninja) | |
| Low |
ACP logs XSS
CWE-79
|
Cillian Collins | |
| Low |
Arbitrary file deletion via ACP's Settings
CWE-22
|
Devilshakerz (MyBB Team) | |
| Low |
Login CSRF
CWE-352
|
Cillian Collins | |
| Low |
Non-video content embedding via Video MyCode
CWE-20
|
Punisher_HF | |
|
15 March 2018 |
Medium |
Tasks Local File Inclusion
CWE-98
|
Riley Baird |
| Medium |
Forum Password Check Bypass
CWE-284
|
Riley Baird | |
| Low |
Admin Permissions Group Title XSS
CWE-79
|
Nathaniel Suchy | |
| Low |
Attachment types file extension XSS
CWE-79
|
Nathaniel Suchy | |
| Low |
Moderator Tools XSS
CWE-79
|
Nathaniel Suchy | |
| Low |
Security Questions XSS
CWE-79
|
doylecc | |
| Low |
Settings Management XSS
CWE-79
|
Nathaniel Suchy | |
| Low |
Templates Set Name XSS
CWE-79
|
Nathaniel Suchy | |
| Low |
Usergroup Promotions XSS
CWE-79
|
Nathaniel Suchy | |
| Low |
Warning Types XSS
CWE-79
|
Nathaniel Suchy | |
|
28 November 2017 |
High |
Language file headers RCE
CWE-94
|
Julian Rittweger |
| Low |
Language Pack Properties XSS
CWE-79
|
Julian Rittweger | |
|
7 November 2017 |
High |
Installer RCE on configuration file write
CWE-94
|
pabstersac |
| High |
Language file headers RCE
CWE-94
|
Julian Rittweger | |
| Medium |
Installer XSS
CWE-79
|
pabstersac | |
| Medium |
Mod CP Edit Profile XSS
CWE-79
|
Julian Rittweger | |
| Low |
Insufficient moderator permission check in delayed moderation tools
CWE-284
|
Starpaul20 (MyBB Team) | |
| Low |
Announcements HTML filter bypass
CWE-79
|
||
| Low |
Language Pack Properties XSS
CWE-79
|
Julian Rittweger | |
|
22 May 2017 |
Medium |
Insufficient permission check in multiquote feature
CWE-284
|
frostschutz |
| Medium |
CSV macro injection on PM export
CWE-20
|
Rico A. Silvallana | |
| Low |
Weak password reset codes & false positives
CWE-334
|
Devilshakerz (MyBB Team) | |
|
4 April 2017 |
High |
XSS Injection in Email MyCode
CWE-79
|
Zhiyang Zeng (Tencent security platform department) |
| Medium |
SSRF protection can be bypassed
CWE-918
|
Orange Tsai (DEVCORE), Jasveer Singh (SEC Consult Vulnerability Lab) | |
| Low |
Directory Traversal in smilie module
CWE-22
|
Zhiyang Zeng (Tencent security platform department) | |
|
21 December 2016 |
Low |
CSRF issue when removing subscriptions
CWE-352
|
Devilshakerz (MyBB Team) |
|
17 October 2016 |
Medium |
Style import CSS overwrite on Windows servers
CWE-22
|
patryk |
| Medium |
SQL Injection in the users data handler
CWE-89
|
afinepl | |
| Medium |
SSRF attack in fetch_remote_file()
|
dawid_golunski | |
| Medium |
Possible short name access to ACP backups on Windows servers
CWE-22
|
kevinoclam | |
| Low |
Stored XSS in the ACP
CWE-79
|
patryk | |
| Low |
Loose comparison false positives
CWE-697
|
Devilshakerz (MyBB Team) | |
| Low |
Possible XSS injection in ACP users module
CWE-79
|
afinepl | |
|
11 March 2016 |
Medium |
Possible SQL Injection in moderation tool
CWE-89
|
jamslater |
| Low |
Missing permission check in newreply.php
CWE-284
|
StefanT (MyBB Team) | |
| Low |
Possible XSS Injection on login
CWE-79
|
Devilshakerz (MyBB Team) | |
| Low |
Possible XSS Injection in member validation
CWE-79
|
Tim Coen | |
| Low |
Possible XSS Injection in User CP
CWE-79
|
Tim Coen | |
| Low |
Possible XSS Injection in Mod CP logs
CWE-79
|
Starpaul20 (MyBB Team) | |
| Low |
Possible XSS Injection when editing users in Mod CP
CWE-79
|
Tim Coen | |
| Low |
Possible XSS Injection when pruning logs in ACP
CWE-79
|
Devilshakerz (MyBB Team) | |
| Low |
Possibility of retrieving database details through templates
CWE-200
|
Tim Coen | |
| Low |
Disclosure of ACP path when sending mails from ACP
CWE-200
|
sarisisop | |
| Low |
Low adminsid & sid entropy
CWE-334
|
Devilshakerz (MyBB Team) | |
| Low |
Clickjacking in ACP
CWE-1021
|
DingjieYang | |
| Low |
Missing directory listing protection in upload directories
CWE-548
|
Tim Coen | |
|
7 September 2015 |
Medium |
Forum password bypass in xmlhttp.php
CWE-284
|
Devilshakerz (MyBB Team) |
| Low |
SQL Injection in Grouppromotions module (ACP)
|
Devilshakerz (MyBB Team) | |
| Low |
Possible XSS Injection in the error handler
CWE-79
|
FooBar123 | |
| Low |
Possible XSS issues in old upgrade files
CWE-79
|
FooBar123 | |
| Low |
Possible Full Path Disclosure in publicly accessible error log files
CWE-200
|
Devilshakerz (MyBB Team) | |
|
7 September 2015 |
Medium |
Forum password bypass in xmlhttp.php
|
|
| Low |
SQL Injection in Grouppromotions module (ACP)
|
||
| Low |
Possible XSS Injection in the error handler
|
||
| Low |
Possible XSS issues in old upgrade files
|
||
|
27 May 2015 |
Medium |
Reset password code check could be circumvented in member.php
CWE-287
|
solati.sadegh |
| Medium |
Sender email could be spoofed when sending an email to a user in member.php
CWE-345
|
onlinedevelopers | |
| Medium |
Permissions not checked for post search with old sid in search.php
CWE-284
|
pedder55655 | |
| Medium |
XSS in quick edit function of xmlhttp.php
CWE-79
|
TiberiusG | |
| Low |
CSRF in ACP mass mail cancellation
CWE-352
|
Destroy666 (MyBB Team) | |
| Low |
Use of the U+200E Unicode character to create “duplicate” username
|
mahdy2021 | |
|
27 May 2015 |
Medium |
Reset password code check could be circumvented in member.php
|
|
| Medium |
Permissions not checked for post search with old sid in search.php
|
||
| Low |
CSRF in ACP mass mail cancellation
|
||
| Low |
Use of the U+200E Unicode character to create "duplicate" username
|
||
| Low |
Multiple XSS vulnerability requiring admin permissions
|
||
| Low |
A CSRF vulnerability within ACP login
|
||
| Low |
Cache handler using var_export without encoding checks
|
||
|
15 February 2015 |
Medium |
A XSS vulnerability in member.php
CWE-79
|
ATofighi (MyBB Team) |
| Medium |
A XSS vulnerability in MyCode editor
CWE-79
|
Matthias Ungethüm | |
| Low |
Multiple XSS vulnerability requiring admin permissions
CWE-79
|
adamziaja, Devilshakerz, DingjieYang, sroesemann | |
| Low |
A CSRF vulnerability within ACP login
CWE-352
|
Devilshakerz | |
| Low |
Group join request notifications sent to wrong group leaders
CWE-200
|
Snake_ | |
| Low |
Cache handler using var_export without encoding checks
CWE-172
|
chtg | |
| No |
A full path disclosure vulnerability within JSON library
CWE-200
|
Nathan Malcolm | |
|
20 November 2014 |
High |
A SQL injection vulnerability in theme selection
CWE-89
|
StefanT (MyBB Team) |
| Medium |
A XSS vulnerability in calendar.php
CWE-79
|
-Acid | |
| Medium |
A XSS vulnerability in MyCode editor
CWE-79
|
My-BB.Ir | |
| Low |
A XSS vulnerability related to post icons
CWE-79
|
Destroy666 (MyBB Team) | |
| Low |
unserialize may call PHP magic methods
CWE-502
|
chtg | |
| Low |
PHP setting request_order can break register globals handling
CWE-473
|
chtg | |
|
20 November 2014 |
Low |
A XSS vulnerability related to post icons
|
Destroy666 (MyBB Team) |
| Low |
A XSS vulnerability in admin/modules/style/templates.php
|
||
| Low |
A XSS vulnerability in admin/modules/config/languages.php
|
||
| Low |
unserialize may call PHP magic methods
|
chtg | |
| Low |
PHP setting request_order can break register globals handling
|
chtg | |
|
13 November 2014 |
High |
A SQL injection vulnerability in member.php
CWE-89
|
|
| Medium |
A XSS vulnerability in report.php
CWE-79
|
||
| Medium |
A XSS vulnerability in inc/class_parser.php
CWE-79
|
||
| Low |
A XSS vulnerability in admin/modules/style/templates.php
CWE-79
|
||
| Low |
A XSS vulnerability in admin/modules/config/languages.php
CWE-79
|
||
|
4 August 2014 |
Medium |
A XSS vulnerability in video MyCode
|
|
|
30 June 2014 |
Medium |
Possibility of executing PHP code through settings
|
GiantCrocodile |
| Low |
A XSS vulnerability in polls.php
|
AntiPaste | |
| Low |
A XSS vulnerability in portal.php
|
AntiPaste | |
| Low |
Password protected forums can be viewed from the portal
|
Nathan Malcolm | |
| Low |
Super moderators have more permissions than expected
|
JordanMussi (MyBB Team) | |
|
26 April 2014 |
Medium |
Possibility of executing PHP code through stylesheets
|
|
| Medium |
Possibility of executing PHP code through language files
|
||
| Low |
A XSS vulnerability in search system
|
||
| Low |
Potential weak random string generator
|
||
|
30 December 2013 |
Medium |
A SQL vulnerability when editing smilies in ACP
|
ChALkeR |
| Medium |
A SQL vulnerability when deleting posts with Akismet in ACP
|
ChALkeR | |
| Medium |
A XSS vulnerability in video MyCode
|
ChALkeR | |
| Low |
A XSS vulnerability in smilie popup
|
Spenzert |
Resolved Security Issues
Here you will find documented security issues addressed in past MyBB releases. Please note that the list may not include details of vulnerabilities in legacy branches. View Security Research to learn more or report security-related problems.