MyBB is a free and open source forum software. The _Mail Settings_ ? Additional Parameters for PHP's mail() function mail_parameters setting value, in connection with the configured mail program's options and behavior, may allow access to sensitive information and Remote Code Execution (RCE). The vulnerable module requires Admin CP access with the `_Can manage settings?_` permission and may depend on configured file permissions. MyBB 1.8.31 resolves this issue with the commit `0cd318136a`. Users are advised to upgrade. There are no known workarounds for this vulnerability.
References
Link | Resource |
---|---|
https://github.com/mybb/mybb/blob/mybb_1830/install/resources/settings.xml#L2331-L2338 | Exploit Third Party Advisory |
https://github.com/mybb/mybb/commit/0cd318136a10b029bb5c8a8f6dddf39d87519797 | Patch Third Party Advisory |
https://github.com/mybb/mybb/security/advisories/GHSA-hxhm-rq9f-7xj7 | Third Party Advisory |
https://mybb.com/versions/1.8.31/ | Release Notes Vendor Advisory |
Configurations
History
25 Jan 2023, 02:01
Type | Values Removed | Values Added |
---|---|---|
CWE | CWE-74 |
02 Dec 2022, 20:41
Type | Values Removed | Values Added |
---|---|---|
CWE | CWE-77 |
11 Oct 2022, 05:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
11 Oct 2022, 04:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
CWE | CWE-74 |
07 Oct 2022, 18:47
Type | Values Removed | Values Added |
---|---|---|
Summary | MyBB is a free and open source forum software. The _Mail Settings_ ? Additional Parameters for PHP's mail() function mail_parameters setting value, in connection with the configured mail program's options and behavior, may allow access to sensitive information and Remote Code Execution (RCE). The vulnerable module requires Admin CP access with the `_Can manage settings?_` permission and may depend on configured file permissions. MyBB 1.8.31 resolves this issue with the commit `0cd318136a`. Users are advised to upgrade. There are no known workarounds for this vulnerability. | |
References | (MISC) https://github.com/mybb/mybb/commit/0cd318136a10b029bb5c8a8f6dddf39d87519797 - Patch, Third Party Advisory | |
References | (CONFIRM) https://github.com/mybb/mybb/security/advisories/GHSA-hxhm-rq9f-7xj7 - Third Party Advisory | |
References | (MISC) https://mybb.com/versions/1.8.31/ - Release Notes, Vendor Advisory | |
References | (MISC) https://github.com/mybb/mybb/blob/mybb_1830/install/resources/settings.xml#L2331-L2338 - Exploit, Third Party Advisory | |
CPE | cpe:2.3:a:mybb:mybb:*:*:*:*:*:*:*:* | |
First Time |
Mybb mybb
Mybb |
|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 7.2 |
CWE | CWE-77 |
06 Oct 2022, 18:44
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2022-10-06 18:16
Updated : 2023-12-10 14:35
NVD link : CVE-2022-39265
Mitre link : CVE-2022-39265
CVE.ORG link : CVE-2022-39265
JSON object : View
Products Affected
mybb
- mybb