CVE-2016-7150 is an authenticated cross-site scripting (XSS) issue in b2evolution affecting versions 6.7.5 and earlier. An attacker with valid user access can inject arbitrary web script or HTML through the site name field, which can lead to script execution in other users’ browsers when the affected content is rendered. The CVE was published on 2017-01-18, while linked public references show disclosure a [truncated]
CVE-2016-7149 is a cross-site scripting (XSS) vulnerability in b2evolution 6.7.5 and earlier. The issue is tied to the autolink function, allowing remote attackers to inject script or HTML content. Because the vulnerability is network-reachable and requires user interaction, it is best treated as a web-facing content-safety issue that can affect administrators and site visitors.
CVE-2017-5494 describes multiple cross-site scripting (XSS) vulnerabilities in b2evolution through 6.8.3. According to the NVD record, a remote authenticated user can inject arbitrary web script or HTML through a .swf file in either a comment frame or an avatar frame. The issue is rated CVSS 3.0 5.4 (medium) with network attack vector, low privileges required, and user interaction required.
CVE-2017-5480 is a high-severity directory traversal issue in b2evolution’s back-office file handling. An authenticated remote user with administrative/back-office access could supply path traversal input in the fm_selected array parameter and use it to read or delete arbitrary files on the server. The NVD record classifies the flaw as CWE-22 and rates it CVSS 3.0 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N) [truncated]
