PT-2007-1870 · Simple Machines · Simple Machines Forum

Published

2007-01-22

Updated

2018-10-16

CVE-2007-0399

CVSS v2.0

6.0

Medium

Vector

AV:N/AC:M/Au:S/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions Simple Machines Forum (SMF) version 1.1 RC3

Description The issue concerns multiple cross-site scripting (XSS) vulnerabilities in the index.php file of Simple Machines Forum (SMF). These vulnerabilities allow remote authenticated users to inject arbitrary web script or HTML. This can be achieved via the recipient or BCC field when selecting send in a pm action.

Recommendations For Simple Machines Forum (SMF) version 1.1 RC3, consider disabling the pm action functionality until a patch is available to prevent exploitation of the XSS vulnerabilities in the recipient and BCC fields. Restrict access to the index.php file to minimize the risk of arbitrary web script or HTML injection.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Related Identifiers

CVE-2007-0399

Affected Products

Simple Machines Forum

PT-2007-1870 · Simple Machines · Simple Machines Forum

CVE-2007-0399

Related Identifiers

Affected Products

References · 12