CVE-2005-4199

Sažetak

Multiple SQL injection vulnerabilities in MyBulletinBoard (MyBB) before 1.0 allow remote attackers to execute arbitrary SQL commands via the (1) month, (2) day, and (3) year parameters in an addevent action in calendar.php; (4) threadmode and (5) showcodebuttons in an options action in usercp.php; (6) list parameter in an editlists action to usercp.php; (7) rating parameter in a rate action in member.php; and (8) rating parameter in either showthread.php or ratethread.php.

Reference

http://archives.neohapsis.com/archives/fulldisclosure/2005-12/0379.html
http://community.mybboard.net/showthread.php?tid=5184&pid=30964#pid30964
http://secunia.com/advisories/18000
http://securityreason.com/securityalert/246
http://securityreason.com/securityalert/294
http://securitytracker.com/id?1015407
http://www.osvdb.org/22156
http://www.osvdb.org/22157
http://www.osvdb.org/22158
http://www.securityfocus.com/archive/1/419067/100/0/threaded
http://www.securityfocus.com/archive/1/420159/100/0/threaded
http://www.securityfocus.com/bid/15793
http://www.trapkit.de/advisories/TKADV2005-12-001.txt
http://www.trapkit.de/advisories/TKPN2005-12-001.txt
http://www.vupen.com/english/advisories/2005/2842

CVSS

Base:	7.5
Impact:	6.4
Exploitability:	10.0

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
PARTIAL	PARTIAL	PARTIAL

CVSS vektor

AV:N/AC:L/Au:N/C:P/I:P/A:P

Zadnje važnije ažuriranje

19-10-2018 - 15:40

Objavljeno

13-12-2005 - 11:03