[CLOSE] OSVDB ID : 37402 - Disclosed: 2007-10-01

Description:

(Description Provided by CVE) : Multiple cross-site scripting (XSS) vulnerabilities in iletisim.asp in Y&K Iletisim Formu allow remote attackers to inject arbitrary web script or HTML via the (1) ad, (2) sehir, (3) yas, (4) cins, (5) tel, (6) mail, and (7) mesaj parameters. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.

[CLOSE] OSVDB ID : 18133 - Disclosed: 2005-07-16

Description:

(Description Provided by CVE) : Y.SAK allows remote attackers to execute arbitrary commands via shell metacharacters in the $no variable to (1) w_s3mbfm.cgi, (2) w_s3adix.cgi, or (3) w_s3sbfm.cgi.

[CLOSE] OSVDB ID : 18132 - Disclosed: 2005-07-16

Description:

(Description Provided by CVE) : Y.SAK allows remote attackers to execute arbitrary commands via shell metacharacters in the $no variable to (1) w_s3mbfm.cgi, (2) w_s3adix.cgi, or (3) w_s3sbfm.cgi.

[CLOSE] OSVDB ID : 18134 - Disclosed: 2005-07-16

Description:

(Description Provided by CVE) : Y.SAK allows remote attackers to execute arbitrary commands via shell metacharacters in the $no variable to (1) w_s3mbfm.cgi, (2) w_s3adix.cgi, or (3) w_s3sbfm.cgi.

[CLOSE] OSVDB ID : 35519 - Disclosed: 2007-04-24

Description:

(Description Provided by CVE) : Cross-site scripting (XSS) vulnerability in YA Book 0.98-alpha allows remote attackers to inject arbitrary web script or HTML via the City field in a sign action in index.php.

[CLOSE] OSVDB ID : 36060 - Disclosed: 2007-05-12

Description:

YAAP contains a flaw that may allow a remote attacker to execute arbitrary commands or code. The issue is due to the 'includes/common.php' script not properly sanitizing user input supplied to the 'root_path' parameter. This may allow an attacker to include a file from a third-party remote host that contains commands or code that will be executed by the vulnerable script with the same privileges as the web server.

[CLOSE] OSVDB ID : 10222 - Disclosed: 2004-09-22

Description:

YaBB contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate an unspecified variable upon submission to the adminedit.pl script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 4283 - Disclosed: 2004-02-29

Description:

YaBB and Simple Machines SMF contain a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate user input upon submission to the "glow" or "shadow" formatting tags. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

[CLOSE] OSVDB ID : 45279 - Disclosed: 2002-10-18

Description:

(Description Provided by CVE) : Yet Another Bulletin Board (YaBB) 1.40 and 1.41 does not require a user to submit the correct password before changing it to a new password, which allows remote attackers to modify passwords by stealing the cookie of another user, modifying the expiretime setting, and submitting the change in a profile2 action to index.php.

[CLOSE] OSVDB ID : 20686 - Disclosed: 2005-11-08

Description:

Unknown / Incomplete

[CLOSE] OSVDB ID : 67635 - Disclosed: 2010-02-08

Description:

Unknown / Incomplete

[CLOSE] OSVDB ID : 2019 - Disclosed: 2002-01-08

Description:

YaBB contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate content inserted into [IMG][/IMG] image links upon submission to the script that handles forum messages and replies. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

[CLOSE] OSVDB ID : 38021 - Disclosed: 2003-01-05

Description:

(Description Provided by CVE) : Cross-site scripting (XSS) vulnerabilities in Yet Another Bulletin Board (YaBB) 1.5.0 allow remote attackers to execute arbitrary script as other users and possibly steal authentication information via cookies by injecting arbitrary HTML or script into (1) news_icon of news_template.php, and (2) threadid and subject of index.html

[CLOSE] OSVDB ID : 31694 - Disclosed: 2002-10-18

Description:

(Description Provided by CVE) : Cross-site scripting (XSS) vulnerability in index.php in Yet Another Bulletin Board (YaBB) 1.40 and 1.41 allows remote attackers to inject arbitrary web script or HTML via the password (passwrd) parameter.

[CLOSE] OSVDB ID : 93045 - Disclosed: 2013-05-02

Description:

YaBB contains a flaw that is due to the program failing to properly verify input passed via the guestlanguage cookie upon submission to Load.pl before being used in a local file inclusion. This may allow a remote attacker to execute arbitrary Perl code via a previously uploaded text file, potentially delivered via a traversal vector.

[CLOSE] OSVDB ID : 37238 - Disclosed: 2007-06-19

Description:

(Description Provided by CVE) : Directory traversal vulnerability in Yet another Bulletin Board (YaBB) 2.1 and earlier allows remote authenticated users to execute arbitrary Perl code via a .. (dot dot) in the userlanguage profile setting, which sets the userlanguage key of the member hash, and is propagated to the language variable in (1) HelpCentre.pl and (2) ICQPager.pl, (3) the use_lang variable in Subs.pl, and the actlang variable in (4) Post.pl and (5) InstantMessage.pl; as demonstrated by pointing userlanguage to the English folder, modifying English/HelpCentre.lng file to contain Perl statements, and then invoking the help action in YaBB.pl.

[CLOSE] OSVDB ID : 38020 - Disclosed: 2003-01-05

Description:

(Description Provided by CVE) : Cross-site scripting (XSS) vulnerabilities in Yet Another Bulletin Board (YaBB) 1.5.0 allow remote attackers to execute arbitrary script as other users and possibly steal authentication information via cookies by injecting arbitrary HTML or script into (1) news_icon of news_template.php, and (2) threadid and subject of index.html

[CLOSE] OSVDB ID : 67634 - Disclosed: 2010-02-08

Description:

Unknown / Incomplete

[CLOSE] OSVDB ID : 37237 - Disclosed: 2007-06-12

Description:

(Description Provided by CVE) : CRLF injection vulnerability in Yet another Bulletin Board (YaBB) 2.1 allows remote attackers to obtain administrative access via requests to (1) register.pl or (2) profile.pl that write CRLF sequences to a .vars file. NOTE: this can be leveraged to execute arbitrary code.

[CLOSE] OSVDB ID : 37236 - Disclosed: 2007-06-12

Description:

(Description Provided by CVE) : CRLF injection vulnerability in Yet another Bulletin Board (YaBB) 2.1 allows remote attackers to obtain administrative access via requests to (1) register.pl or (2) profile.pl that write CRLF sequences to a .vars file. NOTE: this can be leveraged to execute arbitrary code.

[CLOSE] OSVDB ID : 9746 - Disclosed: 2004-08-25

Description:

YaBB SE contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when accessing the 'Admin.php' script directly, which will cause the server to return an error page containing the installation path resulting in a loss of confidentiality.

[CLOSE] OSVDB ID : 53677 - Disclosed: 2003-04-22

Description:

Unknown / Incomplete

[CLOSE] OSVDB ID : 29146 - Disclosed: 2006-08-10

Description:

(Description Provided by CVE) : Cross-site scripting (XSS) vulnerability in index.php in Yet another Bulletin Board (YaBB) allows remote attackers to inject arbitrary web script or HTML via the categories parameter.

[CLOSE] OSVDB ID : 3971 - Disclosed: 2004-02-16

Description:

YaBB SE contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'index.php' script not properly sanitizing user-supplied input to the 'quote' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

[CLOSE] OSVDB ID : 6733 - Disclosed: 2004-03-01

Description:

(Description Provided by CVE) : Directory traversal vulnerability in ModifyMessage.php in YaBB SE 1.5.4 through 1.5.5b allows remote attackers to delete arbitrary files via a .. (dot dot) in the attachOld parameter.

[CLOSE] OSVDB ID : 6734 - Disclosed: 2004-03-01

Description:

(Description Provided by CVE) : Multiple SQL injection vulnerabilities in YaBB SE 1.5.4 through 1.5.5b allow remote attackers to execute arbitrary SQL via (1) the msg parameter in ModifyMessage.php or (2) the postid parameter in ModifyMessage.php.

[CLOSE] OSVDB ID : 53674 - Disclosed: 2003-01-24

Description:

Unknown / Incomplete

[CLOSE] OSVDB ID : 53675 - Disclosed: 2003-01-21

Description:

Unknown / Incomplete

[CLOSE] OSVDB ID : 26783 - Disclosed: 2006-06-22

Description:

YaBB SE contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'profile.php' script not properly sanitizing user-supplied input to the 'user' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

[CLOSE] OSVDB ID : 53676 - Disclosed: 2003-01-10

Description:

YaBB SE contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the 'reminder.php' script not properly sanitizing user-supplied input to the 'user' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database.