{"api_version":"1","generated_at":"2026-05-09T12:04:37+00:00","cve":"CVE-2013-6936","urls":{"html":"https://cve.report/CVE-2013-6936","api":"https://cve.report/api/cve/CVE-2013-6936.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2013-6936","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2013-6936"},"summary":{"title":"CVE-2013-6936","description":"Multiple SQL injection vulnerabilities in ajaxfs.php in the Ajax forum stat (Ajaxfs) Plugin 2.0 for MyBB (aka MyBulletinBoard) allow remote attackers to execute arbitrary SQL commands via the (1) tooltip or (2) usertooltip parameter.","state":"PUBLISHED","assigner":"mitre","published_at":"2013-12-04 18:56:56","updated_at":"2026-04-29 01:13:23"},"problem_types":["CWE-89","n/a"],"metrics":[{"version":"2.0","source":"nvd@nist.gov","type":"Primary","score":"7.5","severity":"","vector":"AV:N/AC:L/Au:N/C:P/I:P/A:P","data":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:P/I:P/A:P","baseScore":7.5,"accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL"}}],"references":[{"url":"http://packetstormsecurity.com/files/124091/MyBB-Ajaxfs-SQL-Injection.html","name":"http://packetstormsecurity.com/files/124091/MyBB-Ajaxfs-SQL-Injection.html","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Exploit"],"title":"MyBB Ajaxfs SQL Injection ≈ Packet Storm","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://seclists.org/bugtraq/2013/Nov/102","name":"http://seclists.org/bugtraq/2013/Nov/102","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Exploit"],"title":"Bugtraq: Mybb Ajaxfs Plugin Sql Injection vulnerability","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://osvdb.org/100030","name":"http://osvdb.org/100030","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":[],"title":"","mime":"","httpstatus":"-1","archivestatus":"0"},{"url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/89084","name":"https://exchange.xforce.ibmcloud.com/vulnerabilities/89084","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":[],"title":"IBM X-Force Exchange","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.exploit-db.com/exploits/29797","name":"http://www.exploit-db.com/exploits/29797","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Exploit"],"title":"MyBB Ajaxfs 2 Plugin - SQL Injection Vulnerability","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.iedb.ir/exploits-889.html","name":"http://www.iedb.ir/exploits-889.html","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":[],"title":"Mybb Ajaxfs Plugin Sql Injection vulnerability","mime":"text/html","httpstatus":"404","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2013-6936","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2013-6936","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"n/a","product":"n/a","version":"affected n/a","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2013","cve_id":"6936","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"mybb","cpe5":"ajax_forum_stat","cpe6":"2.0","cpe7":"-","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"mybb","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2013","cve_id":"6936","cve":"CVE-2013-6936","epss":"0.010620000","percentile":"0.777350000","score_date":"2026-04-29","updated_at":"2026-04-30 00:13:22"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"providerMetadata":{"dateUpdated":"2024-08-06T17:53:45.329Z","orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE"},"references":[{"name":"100030","tags":["vdb-entry","x_refsource_OSVDB","x_transferred"],"url":"http://osvdb.org/100030"},{"name":"29797","tags":["exploit","x_refsource_EXPLOIT-DB","x_transferred"],"url":"http://www.exploit-db.com/exploits/29797"},{"tags":["x_refsource_MISC","x_transferred"],"url":"http://packetstormsecurity.com/files/124091/MyBB-Ajaxfs-SQL-Injection.html"},{"tags":["x_refsource_MISC","x_transferred"],"url":"http://www.iedb.ir/exploits-889.html"},{"name":"mybb-ajaxfs-sql-injection(89084)","tags":["vdb-entry","x_refsource_XF","x_transferred"],"url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/89084"},{"name":"20131120 Mybb Ajaxfs Plugin Sql Injection vulnerability","tags":["mailing-list","x_refsource_BUGTRAQ","x_transferred"],"url":"http://seclists.org/bugtraq/2013/Nov/102"}],"title":"CVE Program Container"}],"cna":{"affected":[{"product":"n/a","vendor":"n/a","versions":[{"status":"affected","version":"n/a"}]}],"datePublic":"2013-11-19T00:00:00.000Z","descriptions":[{"lang":"en","value":"Multiple SQL injection vulnerabilities in ajaxfs.php in the Ajax forum stat (Ajaxfs) Plugin 2.0 for MyBB (aka MyBulletinBoard) allow remote attackers to execute arbitrary SQL commands via the (1) tooltip or (2) usertooltip parameter."}],"problemTypes":[{"descriptions":[{"description":"n/a","lang":"en","type":"text"}]}],"providerMetadata":{"dateUpdated":"2017-08-28T12:57:01.000Z","orgId":"8254265b-2729-46b6-b9e3-3dfca2d5bfca","shortName":"mitre"},"references":[{"name":"100030","tags":["vdb-entry","x_refsource_OSVDB"],"url":"http://osvdb.org/100030"},{"name":"29797","tags":["exploit","x_refsource_EXPLOIT-DB"],"url":"http://www.exploit-db.com/exploits/29797"},{"tags":["x_refsource_MISC"],"url":"http://packetstormsecurity.com/files/124091/MyBB-Ajaxfs-SQL-Injection.html"},{"tags":["x_refsource_MISC"],"url":"http://www.iedb.ir/exploits-889.html"},{"name":"mybb-ajaxfs-sql-injection(89084)","tags":["vdb-entry","x_refsource_XF"],"url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/89084"},{"name":"20131120 Mybb Ajaxfs Plugin Sql Injection vulnerability","tags":["mailing-list","x_refsource_BUGTRAQ"],"url":"http://seclists.org/bugtraq/2013/Nov/102"}],"x_legacyV4Record":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2013-6936","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"Multiple SQL injection vulnerabilities in ajaxfs.php in the Ajax forum stat (Ajaxfs) Plugin 2.0 for MyBB (aka MyBulletinBoard) allow remote attackers to execute arbitrary SQL commands via the (1) tooltip or (2) usertooltip parameter."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"name":"100030","refsource":"OSVDB","url":"http://osvdb.org/100030"},{"name":"29797","refsource":"EXPLOIT-DB","url":"http://www.exploit-db.com/exploits/29797"},{"name":"http://packetstormsecurity.com/files/124091/MyBB-Ajaxfs-SQL-Injection.html","refsource":"MISC","url":"http://packetstormsecurity.com/files/124091/MyBB-Ajaxfs-SQL-Injection.html"},{"name":"http://www.iedb.ir/exploits-889.html","refsource":"MISC","url":"http://www.iedb.ir/exploits-889.html"},{"name":"mybb-ajaxfs-sql-injection(89084)","refsource":"XF","url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/89084"},{"name":"20131120 Mybb Ajaxfs Plugin Sql Injection vulnerability","refsource":"BUGTRAQ","url":"http://seclists.org/bugtraq/2013/Nov/102"}]}}}},"cveMetadata":{"assignerOrgId":"8254265b-2729-46b6-b9e3-3dfca2d5bfca","assignerShortName":"mitre","cveId":"CVE-2013-6936","datePublished":"2013-12-04T15:00:00.000Z","dateReserved":"2013-12-04T00:00:00.000Z","dateUpdated":"2024-08-06T17:53:45.329Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.1"},"nvd":{"publishedDate":"2013-12-04 18:56:56","lastModifiedDate":"2026-04-29 01:13:23","problem_types":["CWE-89","n/a"],"metrics":{"cvssMetricV2":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:P/I:P/A:P","baseScore":7.5,"accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL"},"baseSeverity":"HIGH","exploitabilityScore":10,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:mybb:ajax_forum_stat:2.0:-:*:*:*:mybb:*:*","matchCriteriaId":"6C256D31-0385-47E7-97AE-47CE2B77B82D"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2013","CveId":"6936","Ordinal":"1","Title":"CVE-2013-6936","CVE":"CVE-2013-6936","Year":"2013"},"notes":[{"CveYear":"2013","CveId":"6936","Ordinal":"1","NoteData":"Multiple SQL injection vulnerabilities in ajaxfs.php in the Ajax forum stat (Ajaxfs) Plugin 2.0 for MyBB (aka MyBulletinBoard) allow remote attackers to execute arbitrary SQL commands via the (1) tooltip or (2) usertooltip parameter.","Type":"Description","Title":"CVE-2013-6936"},{"CveYear":"2013","CveId":"6936","Ordinal":"2","NoteData":"2013-12-04","Type":"Other","Title":"Published"},{"CveYear":"2013","CveId":"6936","Ordinal":"3","NoteData":"2017-08-28","Type":"Other","Title":"Modified"}]}}}