oss-sec mailing list archives
CVE request: MyBB 1.8.3 & 1.6.16 security releases
From: Henri Salo <henri () nerv fi>
Date: Wed, 10 Dec 2014 21:23:28 +0200
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Can I get multiple CVEs for issues fixed in MyBB 1.8.3 & 1.6.16, thank you. http://blog.mybb.com/2014/11/20/mybb-1-8-3-1-6-16-released-security-releases/ 1.8.3 """ The vulnerabilities are: High Risk: A SQL injection vulnerability in theme selection (reported by StefanT) Medium Risk: A XSS vulnerability in calender.php (reported by -Acid) Medium Risk: A XSS vulnerability in MyCode editor (reported by My-BB.Ir) Low Risk: A XSS vulnerability related to post icons (reported by Destroy666) Low Risk: unserialize may call PHP magic methods (reported by chtg) Low Risk: PHP setting request_order can break register globals handling (reported by chtg) Additionally we’ve fixed an issue with the video MyCode introduced with MyBB 1.8.2 (#1625) and revised the handling of data fetched from our website as a direct consequence of the compromised GitHub account (#1617). In addition to that, we’ve set the adminsid cookie as httpOnly (#1622). We also plan to add enhanced options to protect the Admin CP like two factor authentication with one of the next maintenance releases. """ 1.6.16 """ The vulnerabilities are: Low Risk: A XSS vulnerability related to post icons (reported by Destroy666) Low Risk: A XSS vulnerability in admin/modules/style/templates.php Low Risk: A XSS vulnerability in admin/modules/config/languages.php Low Risk: unserialize may call magic methods (reported by chtg) Low Risk: request_order can break register globals handling (reported by chtg) Additionally we’ve revised the handling of data fetched from our website as a direct consequence of the compromised GitHub account (#1617). In addition to that, we’ve set the adminsid cookie as httpOnly (#1622). """ - -- Henri Salo -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlSInbAACgkQXf6hBi6kbk+HHwCgxg2yCr90kZnJRyuuEEagOJYS P64AnjRISYE3GfVkpHNkLpYCtwkoqB6O =HciC -----END PGP SIGNATURE-----
Current thread:
- CVE request: MyBB 1.8.3 & 1.6.16 security releases Henri Salo (Dec 10)