Directory traversal vulnerability in MyBB (aka MyBulletinBoard) 1.4.10, and possibly earlier versions, when changing the user avatar from the gallery, allows remote authenticated users to determine the existence of files via directory traversal sequences in the avatar and possibly the gallery parameters, related to (1) admin/modules/user/users.php and (2) usercp.php.
References
Configurations
History
21 Nov 2024, 01:09
Type | Values Removed | Values Added |
---|---|---|
References | () http://blog.mybboard.net/2009/12/29/mybb-1-4-11-released-minor-patch-security-update/ - Release Notes | |
References | () http://dev.mybboard.net/issues/617 - Broken Link | |
References | () http://dev.mybboard.net/projects/mybb/repository/revisions/4663/diff/branches/1.4-stable/admin/modules/user/users.php - Broken Link, Exploit | |
References | () http://dev.mybboard.net/projects/mybb/repository/revisions/4663/diff/branches/1.4-stable/usercp.php - Broken Link, Exploit | |
References | () http://openwall.com/lists/oss-security/2010/10/08/7 - Mailing List | |
References | () http://openwall.com/lists/oss-security/2010/10/11/8 - Mailing List | |
References | () http://openwall.com/lists/oss-security/2010/12/06/2 - Mailing List | |
References | () http://osvdb.org/61359 - Broken Link | |
References | () http://secunia.com/advisories/37906 - Broken Link, Vendor Advisory | |
References | () http://www.securityfocus.com/bid/37489 - Broken Link, Third Party Advisory, VDB Entry | |
References | () http://www.vupen.com/english/advisories/2009/3651 - Permissions Required, Vendor Advisory |
26 Jan 2024, 17:46
Type | Values Removed | Values Added |
---|---|---|
References | (CONFIRM) http://dev.mybboard.net/projects/mybb/repository/revisions/4663/diff/branches/1.4-stable/usercp.php - Broken Link, Exploit | |
References | (VUPEN) http://www.vupen.com/english/advisories/2009/3651 - Permissions Required, Vendor Advisory | |
References | (BID) http://www.securityfocus.com/bid/37489 - Broken Link, Third Party Advisory, VDB Entry | |
References | (CONFIRM) http://dev.mybboard.net/projects/mybb/repository/revisions/4663/diff/branches/1.4-stable/admin/modules/user/users.php - Broken Link, Exploit | |
References | (CONFIRM) http://blog.mybboard.net/2009/12/29/mybb-1-4-11-released-minor-patch-security-update/ - Release Notes | |
References | (OSVDB) http://osvdb.org/61359 - Broken Link | |
References | (CONFIRM) http://dev.mybboard.net/issues/617 - Broken Link | |
References | (MLIST) http://openwall.com/lists/oss-security/2010/10/11/8 - Mailing List | |
References | (MLIST) http://openwall.com/lists/oss-security/2010/12/06/2 - Mailing List | |
References | (SECUNIA) http://secunia.com/advisories/37906 - Broken Link, Vendor Advisory | |
References | (MLIST) http://openwall.com/lists/oss-security/2010/10/08/7 - Mailing List | |
CVSS |
v2 : v3 : |
v2 : 6.3
v3 : 6.5 |
Information
Published : 2009-12-29 20:41
Updated : 2024-11-21 01:09
NVD link : CVE-2009-4449
Mitre link : CVE-2009-4449
CVE.ORG link : CVE-2009-4449
JSON object : View
Products Affected
mybboard
- mybb
CWE
CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')