CVE - CVE-2015-2149

CVE-ID
CVE-2015-2149	Learn more at National Vulnerability Database (NVD) • CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
Description
Multiple cross-site scripting (XSS) vulnerabilities in the administrative backend in MyBB (aka MyBulletinBoard) before 1.8.4 allow remote authenticated users to inject arbitrary web script or HTML via the (1) MIME-type field in an add action in the config-attachment_types module to admin/index.php; (2) title or (3) short description field in an add action in the (a) config-mycode or (b) user-groups module to admin/index.php; (4) title field in an add action in the (c) forum-management or (d) tool-tasks module to admin/index.php; (5) name field in an add_set action in the style-templates module to admin/index.php; (6) title field in an add_template_group action in the style-templates module to admin/index.php; (7) name field in an add action in the config-post_icons module to admin/index.php; (8) "title to assign" field in an add action in the user-titles module to admin/index.php; or (9) username field in the config-banning module to admin/index.php.
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
BID:72738 URL:http://www.securityfocus.com/bid/72738 CONFIRM:http://blog.mybb.com/2015/02/15/mybb-1-8-4-released-feature-update-security-maintenance-release/ FULLDISC:20150221 Multiple stored XSS-vulnerabilities in MyBB v. 1.8.3 URL:http://seclists.org/fulldisclosure/2015/Feb/80 MISC:http://sroesemann.blogspot.de/2015/02/sroeadv-2015-15.html MLIST:[oss-security] 20150221 CVE-Request -- MyBB v. 1.8.3 -- Multiple stored XSS-vulnerabilities URL:http://seclists.org/oss-sec/2015/q1/629 MLIST:[oss-security] 20150227 Re: CVE-Request -- MyBB v. 1.8.3 -- Multiple stored XSS-vulnerabilities URL:http://seclists.org/oss-sec/2015/q1/705 SECTRACK:1031953 URL:http://www.securitytracker.com/id/1031953
Assigning CNA
MITRE Corporation
Date Record Created
20150227	Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Assigned (20150227)
Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)
N/A
This is an record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.
Search CVE Using Keywords: You can also search by reference using the CVE Reference Maps.
For More Information: CVE Request Web Form (select "Other" from dropdown)