[CLOSE] OSVDB ID : 3618 - Disclosed: 2004-01-20

Description:

YaBB SE contains a flaw that will allow an attacker to inject arbitrary SQL code. The problem is that the ID_MEMBER variable in the SSI.php module is not verified properly and will allow an attacker to inject or manipulate SQL queries through the welcome or recentTopics functions.

[CLOSE] OSVDB ID : 6678 - Disclosed: 2003-05-09

Description:

(Description Provided by CVE) : SSI.php in YaBB SE 1.5.2 allows remote attackers to execute arbitrary PHP code by modifying the sourcedir parameter to reference a URL on a remote web server that contains the code.

[CLOSE] OSVDB ID : 18242 - Disclosed: 2005-07-14

Description:

(Description Provided by CVE) : YabbSE 1.5.5c allows remote attackers to obtain sensitive information via a direct request to ssi_examples.php, which reveals the path.

[CLOSE] OSVDB ID : 50427 - Disclosed: 2008-01-22

Description:

Unknown / Incomplete

[CLOSE] OSVDB ID : 7697 - Disclosed: 2000-11-07

Description:

(Description Provided by CVE) : Directory traversal vulnerability in YaBB search.pl CGI script allows remote attackers to read arbitrary files via a .. (dot dot) attack in the "catsearch" form field.

[CLOSE] OSVDB ID : 12145 - Disclosed: 2004-11-25

Description:

YaBB Gold contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate user input using the "shadow" BBCode formatting tag. This could allow a malicious user to submit a specially crafted message that, when viewed by a target, would execute arbitrary code in the target's browser, leading to a loss of integrity.

[CLOSE] OSVDB ID : 10221 - Disclosed: 2004-09-22

Description:

YaBB Gold contains a flaw that may allow a malicious user to insert line breaks in a related text file. The issue is triggered when malicious input in the subject variable occurs. It is possible that the flaw may allow manipulate a text file resulting in a loss of integrity.

[CLOSE] OSVDB ID : 6724 - Disclosed: 2004-02-17

Description:

(Description Provided by CVE) : YaBB 1 SP 1.3.1 displays different error messages when a user exists or not, which makes it easier for remote attackers to identify valid users and conduct a brute force password guessing attack.

[CLOSE] OSVDB ID : 9234 - Disclosed: 2002-06-21

Description:

(Description Provided by CVE) : Cross-site scripting vulnerability in YaBB.cgi for Yet Another Bulletin Board (YaBB) 1 Gold SP1 and earlier allows remote attackers to execute arbitrary script as other web site visitors via script in the num parameter, which is not filtered in the resulting error message.

[CLOSE] OSVDB ID : 10243 - Disclosed: 2004-09-16

Description:

(Description Provided by CVE) : Cross-site request forgery (CSRF) vulnerability in YaBB 1 GOLD SP 1.3.2 allows remote attackers to perform unauthorized actions as the administrative user via a link or IMG tag to YaBB.pl that specifies the desired action, id, and moda parameters.

[CLOSE] OSVDB ID : 411 - Disclosed: 2000-09-09

Description:

YaBB contains a flaw that may allow a remote attacker to execute arbitrary commands or code. The issue is due to the 'YaBB.pl' script not properly sanitizing user input, specifically directory traversal style attacks (e.g., ../../) supplied to the 'num' parameter. This may allow an attacker to include a file from the targeted host that contains arbitrary commands or code that will be executed by the vulnerable script. Such attacks are limited due to the script only calling files already on the target host. In addition, this flaw can potentially be used to disclose the contents of any file on the system accessible by the web server.

[CLOSE] OSVDB ID : 41022 - Disclosed: 2002-12-01

Description:

(Description Provided by CVE) : Cross-site scripting (XSS) vulnerability in YaBB.pl in Yet Another Bulletin Board (YaBB) 1 Gold SP 1 allows remote attackers to inject arbitrary web script or HTML via the num parameter.

[CLOSE] OSVDB ID : 10242 - Disclosed: 2004-09-16

Description:

(Description Provided by CVE) : Cross-site scripting (XSS) vulnerability in YaBB.pl in YaBB 1 GOLD SP 1.3.2 allows remote attackers to inject arbitrary web script or HTML via a hex-encoded to parameter. NOTE: some sources say that the board parameter is affected, but this is incorrect.

[CLOSE] OSVDB ID : 10220 - Disclosed: 2004-09-22

Description:

Unknown / Incomplete

[CLOSE] OSVDB ID : 14827 - Disclosed: 2005-03-13

Description:

(Description Provided by CVE) : Cross-site scripting (XSS) vulnerability in YaBB.pl for YaBB 2.0 RC1 allows remote attackers to inject arbitrary web script or HTML via the username parameter in a usersrecentposts action.

[CLOSE] OSVDB ID : 82543 - Disclosed: 2012-01-12

Description:

YABSoft Advanced Image Hosting contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the view_comments.php script not properly sanitizing user-supplied input to the 'gal' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

[CLOSE] OSVDB ID : 52789 - Disclosed: 2009-03-17

Description:

YABSoft Mega File Hosting Script contains a flaw that may allow a remote attacker to execute arbitrary commands or code. The issue is due to the 'cross.php' script not properly sanitizing user input supplied to the 'url' parameter. This may allow an attacker to include a file from a third-party remote host that contains commands or code that will be executed by the vulnerable script with the same privileges as the web server.

[CLOSE] OSVDB ID : 58889 - Disclosed: 2009-09-16

Description:

YABSoft Mega File Hosting Script contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate 'moudi' parameters upon submission to the 'emaullinks.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 45036 - Disclosed: 2008-05-12

Description:

YABSoft Mega File Hosting Script contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'members.php' script not properly sanitizing user-supplied input to the 'fid' variable. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 47080 - Disclosed: 2008-07-08

Description:

(Description Provided by CVE) : skeleton.c in yacc does not properly handle reduction of a rule with an empty right hand side, which allows context-dependent attackers to cause an out-of-bounds stack access when the yacc stack pointer points to the end of the stack.

[CLOSE] OSVDB ID : 67149 - Disclosed: 2010-07-17

Description:

YACK CMS contains a flaw that may allow a remote attacker to execute arbitrary commands or code. The issue is due to the 'index.php' script not properly sanitizing user input supplied to the 'context[path_to_root]' parameter. This may allow an attacker to include a file from a third-party remote host that contains commands or code that will be executed by the vulnerable script with the same privileges as the web server.

[CLOSE] OSVDB ID : 71292 - Disclosed: 2011-03-30

Description:

YaCOMAS contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'S_login' parameter upon submission to the admin/index.php script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 71291 - Disclosed: 2011-03-30

Description:

YaCOMAS contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate the 'S_login', 'S_nombrep', 'S_apellidos', 'S_mail', 'S_org' and 'S_ciudad' parameters upon submission to the asistente/index.php script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 28301 - Disclosed: 2006-08-31

Description:

YACS contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to article.php not properly sanitizing user input supplied to the 'context[path_to_root]' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.

[CLOSE] OSVDB ID : 31301 - Disclosed: 2006-08-29

Description:

YACS contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'context[path_to_root]' variable upon submission to the 'articles/populate.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 31302 - Disclosed: 2006-08-29

Description:

YACS contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'context[path_to_root]' variable upon submission to the 'categories/category.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 31303 - Disclosed: 2006-08-29

Description:

YACS contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'context[path_to_root]' variable upon submission to the 'categories/populate.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 31304 - Disclosed: 2006-08-29

Description:

YACS contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'context[path_to_root]' variable upon submission to the 'comments/populate.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 31305 - Disclosed: 2006-08-29

Description:

YACS contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'context[path_to_root]' variable upon submission to the 'files/file.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 52041 - Disclosed: 2009-02-16

Description:

YACS contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to scripts/update_trailer.php not properly sanitizing user input supplied to the context[path_to_root] parameter. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.