CVE-2009-4449

MEDIUM

MyBB 1.4.10 - Authenticated Path Traversal via Avatar Gallery Parameter

Title source: llm
STIX 2.1

Description

Directory traversal vulnerability in MyBB (aka MyBulletinBoard) 1.4.10, and possibly earlier versions, when changing the user avatar from the gallery, allows remote authenticated users to determine the existence of files via directory traversal sequences in the avatar and possibly the gallery parameters, related to (1) admin/modules/user/users.php and (2) usercp.php.

References (11)

Core 11
Core References
Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/37489
Mailing List mailing-list x_refsource_mlist
http://openwall.com/lists/oss-security/2010/10/08/7
Broken Link, Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/37906
Mailing List mailing-list x_refsource_mlist
http://openwall.com/lists/oss-security/2010/10/11/8
Broken Link x_refsource_confirm
http://dev.mybboard.net/issues/617
Permissions Required, Vendor Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2009/3651
Mailing List mailing-list x_refsource_mlist
http://openwall.com/lists/oss-security/2010/12/06/2
Broken Link vdb-entry x_refsource_osvdb
http://osvdb.org/61359

Scores

CVSS v3 6.5
EPSS 0.0270
EPSS Percentile 84.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Details

CWE
CWE-22
Status published
Products (1)
mybb/mybb 1.4.10
Published Dec 29, 2009
Tracked Since Feb 18, 2026