Directory traversal vulnerability in MyBB (aka MyBulletinBoard) 1.4.10, and possibly earlier versions, when changing the user avatar from the gallery, allows remote authenticated users to determine the existence of files via directory traversal sequences in the avatar and possibly the gallery parameters, related to (1) admin/modules/user/users.php and (2) usercp.php.
Threat-Mapped Scoring
Score: 0.0
Priority: Unclassified
EPSS
Score: 0.00501 Percentile:
0.64958
CVSS Scoring
CVSS v3.1 Score: 6.5
Severity: MEDIUM
Mapped CWE(s)
CWE-22
: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
All CAPEC(s)
CAPEC-126: Path Traversal
CAPEC-64: Using Slashes and URL Encoding Combined to Bypass Validation Logic
CAPEC-76: Manipulating Web Input to File System Calls
CAPEC-78: Using Escaped Slashes in Alternate Encoding