CVE-2005-4199

Multiple SQL injection vulnerabilities in MyBulletinBoard (MyBB) before 1.0 allow remote attackers to execute arbitrary SQL commands via the (1) month, (2) day, and (3) year parameters in an addevent action in calendar.php; (4) threadmode and (5) showcodebuttons in an options action in usercp.php; (6) list parameter in an editlists action to usercp.php; (7) rating parameter in a rate action in member.php; and (8) rating parameter in either showthread.php or ratethread.php.

Published: Dec 13, 2005
Updated: Apr 13, 2023
CVE: CVE-2005-4199
Severity: High
Exploit:

CVSS v2:

Severity: High
Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P

CWEs:

CWE-89

OWASP TOP 10:

A1 - Injection

Affected Software
References

Software	From	Fixed in
mybb / mybb	1.0-rc2	1.0-rc2.x
mybb / mybb	1.0-rc4	1.0-rc4.x
mybb / mybb	1.0-rc3	1.0-rc3.x
mybb / mybb	-	1.0.x
mybb / mybb	1.0-pr1	1.0-pr1.x
mybb / mybb	1.0-rc1	1.0-rc1.x
mybb / mybb	1.0-beta4	1.0-beta4.x

http://archives.neohapsis.com/archives/fulldisclosure/2005-12/0379.html
http://community.mybboard.net/showthread.php?tid=5184&pid=30964#pid30964
http://secunia.com/advisories/18000
http://securityreason.com/securityalert/246
http://securityreason.com/securityalert/294
http://securitytracker.com/id?1015407
http://www.osvdb.org/22156
http://www.osvdb.org/22157
http://www.osvdb.org/22158
http://www.securityfocus.com/archive/1/419067/100/0/threaded
http://www.securityfocus.com/archive/1/420159/100/0/threaded
http://www.securityfocus.com/bid/15793
http://www.trapkit.de/advisories/TKADV2005-12-001.txt
http://www.trapkit.de/advisories/TKPN2005-12-001.txt
http://www.vupen.com/english/advisories/2005/2842

Vulnerability Database

289,697

CVE-2005-4199