Dvz

**Name of the Vulnerable Software and Affected Versions** MyBB versions prior to 1.8.39 **Description** The search component in MyBB does not validate permissions correctly, allowing attackers to determine the existence of hidden threads, including draft, unapproved, or soft-deleted threads, by analyzing the search results. The `mybb threads.visible` integer column is not validated in internal search queries, which can be used to output a general success or failure of the search. This issue can be exploited by users with access to the search functionality and general access to forums containing the threads. The vulnerability does not expose the message content of posts. **Recommendations** For MyBB versions prior to 1.8.39, update to version 1.8.39 to resolve the issue. As a temporary workaround, consider restricting access to the search functionality to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** MyBB versions prior to 1.8.34 **Description** The issue concerns a cross-site scripting (XSS) flaw in the User CP module, specifically via the user email field. This allows for potential malicious script execution. **Recommendations** For versions prior to 1.8.34, update to version 1.8.34 or later to resolve the issue. As a temporary workaround, consider restricting access to the User CP module until the update is applied.

**Name of the Vulnerable Software and Affected Versions** MyBB version 1.8.31 **Description** The issue allows remote attackers to inject HTML via user input or stored data due to a Cross-site scripting (XSS) vulnerability in the visual MyCode editor (SCEditor). **Recommendations** For MyBB version 1.8.31, as a temporary workaround, consider disabling the visual MyCode editor (SCEditor) until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** MyBB versions prior to 1.8.29 **Description** The issue allows Remote Code Injection by an admin with the "Can manage settings?" permission. The Admin CP's Settings management module does not validate setting types correctly on insertion and update, making it possible to add settings of supported type "php" with PHP code, executed on Change Settings pages. **Recommendations** For MyBB versions prior to 1.8.29, update to version 1.8.29 or later to resolve the issue. As a temporary workaround, consider restricting the "Can manage settings?" permission to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: MyBB versions prior to 1.8.26 Description: The issue is related to a Cross-site Scripting (XSS) vulnerability. It occurs when parsing messages, specifically via Nested Auto URL. This vulnerability can be exploited to execute malicious scripts on the client-side. Recommendations: For versions prior to 1.8.26, update to version 1.8.26 or later to resolve the issue.

Name of the Vulnerable Software and Affected Versions: MyBB versions prior to 1.8.26 Description: The issue is related to a Cross-site Scripting vulnerability. It affects the Custom moderator tools in MyBB. Recommendations: For versions prior to 1.8.26, update to version 1.8.26 or later to resolve the issue.