6.5

CVE-2009-4449

Exploit
Directory traversal vulnerability in MyBB (aka MyBulletinBoard) 1.4.10, and possibly earlier versions, when changing the user avatar from the gallery, allows remote authenticated users to determine the existence of files via directory traversal sequences in the avatar and possibly the gallery parameters, related to (1) admin/modules/user/users.php and (2) usercp.php.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
MybbMybb Version1.4.10
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 2.7% 0.84
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 6.5 2.8 3.6
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
nvd@nist.gov 6.3 6.8 6.9
AV:N/AC:M/Au:S/C:C/I:N/A:N
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

http://blog.mybboard.net/2009/12/29/mybb-1-4-11-released-minor-patch-security-update/
Release Notes
http://openwall.com/lists/oss-security/2010/10/08/7
Mailing List
http://openwall.com/lists/oss-security/2010/10/11/8
Mailing List
http://openwall.com/lists/oss-security/2010/12/06/2
Mailing List
http://secunia.com/advisories/37906
Vendor Advisory
Broken Link
http://dev.mybboard.net/issues/617
Broken Link
http://dev.mybboard.net/projects/mybb/repository/revisions/4663/diff/branches/1.4-stable/admin/modules/user/users.php
Exploit
Broken Link
http://dev.mybboard.net/projects/mybb/repository/revisions/4663/diff/branches/1.4-stable/usercp.php
Exploit
Broken Link
http://osvdb.org/61359
Broken Link
http://www.securityfocus.com/bid/37489
Third Party Advisory
Broken Link
VDB Entry
http://www.vupen.com/english/advisories/2009/3651
Vendor Advisory
Permissions Required