Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2015-2149

Overview

Vulnerability Score 3.5 3.5
CVE Id CVE-2015-2149
Last Modified 28 Sep 2015 08:39:56
Published 18 Mar 2015 10:59:00
Confidentiality Impact NONE NONE
Integrity Impact PARTIAL PARTIAL
Availability Impact NONE NONE
Access Vector NETWORK
Access Complexity MEDIUM
Authentication SINGLE_INSTANCE

CVE-2015-2149

Summary

Multiple cross-site scripting (XSS) vulnerabilities in the administrative backend in MyBB (aka MyBulletinBoard) before 1.8.4 allow remote authenticated users to inject arbitrary web script or HTML via the (1) MIME-type field in an add action in the config-attachment_types module to admin/index.php; (2) title or (3) short description field in an add action in the (a) config-mycode or (b) user-groups module to admin/index.php; (4) title field in an add action in the (c) forum-management or (d) tool-tasks module to admin/index.php; (5) name field in an add_set action in the style-templates module to admin/index.php; (6) title field in an add_template_group action in the style-templates module to admin/index.php; (7) name field in an add action in the config-post_icons module to admin/index.php; (8) "title to assign" field in an add action in the user-titles module to admin/index.php; or (9) username field in the config-banning module to admin/index.php.

Vulnerable Systems

Application

  • Mybb 1.8.3


References

CONFIRM - http://blog.mybb.com/2015/02/15/mybb-1-8-4-released-feature-update-security-maintenance-release/

MISC - http://sroesemann.blogspot.de/2015/02/sroeadv-2015-15.html

MLIST - [oss-security] 20150227 Re: CVE-Request -- MyBB v. 1.8.3 -- Multiple stored XSS-vulnerabilities

MLIST - [oss-security] 20150221 CVE-Request -- MyBB v. 1.8.3 -- Multiple stored XSS-vulnerabilities

FULLDISC - 20150221 Multiple stored XSS-vulnerabilities in MyBB v. 1.8.3

SECTRACK - 1031953


Last Updated: 27 May 2016 11:08:08