MyBB Versions Prior to 1.6.6 Multiple Security Vulnerabilities

Bugtraq ID:	51962
Class:	Input Validation Error
CVE:
Remote:	Yes
Local:	No
Published:	Feb 10 2012 12:00AM
Updated:	Feb 10 2012 12:00AM
Credit:	Nathan Malcolm, SQA Team
Vulnerable:	MyBB MyBB 1.6.5 MyBB MyBB 1.6.4 MyBB MyBB 1.6.3 MyBB MyBB 1.6.2 MyBB MyBB 1.6.1 MyBB MyBB 1.4.16 MyBB MyBB 1.4.15 MyBB MyBB 1.4.14 MyBB MyBB 1.4.10 MyBB MyBB 1.4.9 MyBB MyBB 1.4.8 MyBB MyBB 1.4.7 MyBB MyBB 1.4.6 MyBB MyBB 1.4.5 MyBB MyBB 1.4.3 MyBB MyBB 1.4.2 MyBB MyBB 1.2.14 MyBB MyBB 1.2.12 MyBB MyBB 1.2.2 MyBB MyBB 1.2.1 MyBB MyBB 1.2 MyBB MyBB 1.6
Not Vulnerable:	MyBB MyBB 1.6.6

MyBB Versions Prior to 1.6.6 Multiple Security Vulnerabilities

MyBB is prone to multiple cross-site scripting vulnerabilities and multiple cross-site request-forgery vulnerabilities.

An attacker can exploit these vulnerabilities to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, disclose or modify sensitive information, or perform unauthorized actions. Other attacks are also possible.

Versions prior to MyBB 1.6.6 are vulnerable.

MyBB Versions Prior to 1.6.6 Multiple Security Vulnerabilities

To exploit these issues, an attacker must entice an unsuspecting victim to follow a malicious URI or visit a malicious website.

MyBB Versions Prior to 1.6.6 Multiple Security Vulnerabilities

Solution:
Updates are available. Please see the references for more details.

MyBB Versions Prior to 1.6.6 Multiple Security Vulnerabilities

References:

• MyBB Homepage (MyBB)
  
• MyBB 1.6.6 Security Release (Mybb)