CVE-2009-4449
MEDIUMMyBB 1.4.10 - Authenticated Path Traversal via Avatar Gallery Parameter
Title source: llmDescription
Directory traversal vulnerability in MyBB (aka MyBulletinBoard) 1.4.10, and possibly earlier versions, when changing the user avatar from the gallery, allows remote authenticated users to determine the existence of files via directory traversal sequences in the avatar and possibly the gallery parameters, related to (1) admin/modules/user/users.php and (2) usercp.php.
References (11)
Core 11
Core References
Broken Link, Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/37489
Mailing List mailing-list
x_refsource_mlist
http://openwall.com/lists/oss-security/2010/10/08/7
Broken Link, Exploit x_refsource_confirm
http://dev.mybboard.net/projects/mybb/repository/revisions/4663/diff/branches/1.4-stable/admin/modules/user/users.php
Broken Link, Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/37906
Mailing List mailing-list
x_refsource_mlist
http://openwall.com/lists/oss-security/2010/10/11/8
Broken Link x_refsource_confirm
http://dev.mybboard.net/issues/617
Permissions Required, Vendor Advisory vdb-entry
x_refsource_vupen
http://www.vupen.com/english/advisories/2009/3651
Mailing List mailing-list
x_refsource_mlist
http://openwall.com/lists/oss-security/2010/12/06/2
Broken Link vdb-entry
x_refsource_osvdb
http://osvdb.org/61359
Release Notes x_refsource_confirm
http://blog.mybboard.net/2009/12/29/mybb-1-4-11-released-minor-patch-security-update/
Broken Link, Exploit x_refsource_confirm
http://dev.mybboard.net/projects/mybb/repository/revisions/4663/diff/branches/1.4-stable/usercp.php
Scores
CVSS v3
6.5
EPSS
0.0270
EPSS Percentile
84.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-22
Status
published
Products (1)
mybb/mybb
1.4.10
Published
Dec 29, 2009
Tracked Since
Feb 18, 2026