CVE-2018-10305

CRITICAL

9.8

CVSS Severity Score

EPSS Score0.1860%

EPSS Percentile33.74th

PublishedApr 24, 2018

Last ModifiedNov 21, 2024

Vulnerability Description

The MessageSearch2 function in PersonalMessage.php in Simple Machines Forum (SMF) before 2.0.15 does not properly use the possible_users variable in a query, which might allow attackers to bypass intended access restrictions.

Affected Platforms (CPE)

📦

Simplemachines

Simple Machines Forum

< 2.0.15

References & Advisories

🔗 https://www.simplemachines.org/community/index.php?topic=557176.0

Related Vulnerabilities

CVE-2011-112710.0

SSI.php in Simple Machines Forum (SMF) before 1.1.13, and 2.x before 2.0 RC5, does not properly restrict guest access, which allow...

CVE-2005-48919.8

Simple Machine Forum (SMF) versions 1.0.4 and earlier have an SQL injection vulnerability that allows remote attackers to inject a...

CVE-2019-115749.8

An issue was discovered in Simple Machines Forum (SMF) before release 2.0.17. There is SSRF related to Subs-Package.php and Subs.p...

CVE-2016-57269.8

Packages.php in Simple Machines Forum (SMF) 2.1 allows remote attackers to conduct PHP object injection attacks and execute arbitr...