MyBB before 1.8.36 allows Code Injection by users with certain high privileges. Templates in Admin CP intentionally use eval, and there was some validation of the input to eval, but type juggling interfered with this when using PCRE within PHP.
References
Link | Resource |
---|---|
https://blog.sorcery.ie/posts/mybb_acp_rce/ | |
https://github.com/mybb/mybb/commit/a43a6f22944e769a6eabc58c39e7bc18c1cab4ca.patch | Patch |
https://github.com/mybb/mybb/security/advisories/GHSA-pr74-wvp3-q6f5 | Patch Third Party Advisory |
https://mybb.com/versions/1.8.36/ | Release Notes |
Configurations
History
11 Sep 2023, 15:16
Type | Values Removed | Values Added |
---|---|---|
References |
|
31 Aug 2023, 18:29
Type | Values Removed | Values Added |
---|---|---|
CWE | CWE-94 | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 7.2 |
CPE | cpe:2.3:a:mybb:mybb:*:*:*:*:*:*:*:* | |
First Time |
Mybb mybb
Mybb |
|
References | (CONFIRM) https://github.com/mybb/mybb/security/advisories/GHSA-pr74-wvp3-q6f5 - Patch, Third Party Advisory | |
References | (CONFIRM) https://github.com/mybb/mybb/commit/a43a6f22944e769a6eabc58c39e7bc18c1cab4ca.patch - Patch | |
References | (MISC) https://mybb.com/versions/1.8.36/ - Release Notes |
29 Aug 2023, 16:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-08-29 16:15
Updated : 2023-12-10 15:14
NVD link : CVE-2023-41362
Mitre link : CVE-2023-41362
CVE.ORG link : CVE-2023-41362
JSON object : View
Products Affected
mybb
- mybb
CWE
CWE-94
Improper Control of Generation of Code ('Code Injection')