Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

MyBB 1.8.x < 1.8.5 Multiple Vulnerabilities

Medium

Synopsis

The remote web server is running a PHP application that is vulnerable to multiple attack vectors.

Description

Versions of MyBB (MyBulletinBoard) prior to 1.6.17, or 1.8.x prior to 1.8.5 are affected by the following vulnerabilities :

- A flaw exists that allows a stored cross-site scripting (XSS) attack. This flaw exists because the quick edit function in the '/xmlhttp.php' script does not validate input before returning it to users. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server. (OSVDB 122745) - A flaw exists that is triggered when sending an email to a user in 'member.php'. This flaw may allow a remote attacker to spoof the sender of the email. (OSVDB 122746)

Solution

Upgrade to MyBB version 1.8.5 or later.