Mybb
Monthly
A remote code execution vulnerability in MyBB (CVSS 5.3) that allows attackers. Remediation should follow standard vulnerability management procedures. Vendor patch is available.
MyBB versions prior to 1.8.39 contain a local file inclusion (LFI) vulnerability in the upgrade component due to improper input validation (CWE-22). This vulnerability allows authenticated administrators or unauthenticated attackers with access to an unlocked installer to read arbitrary files from the server filesystem. The vulnerability requires either the installer to be accessible via re-installation or the attacker to have administrative privileges, significantly limiting real-world exploitability despite the CVSS 7.2 score.
An issue in MyBB 1.8.38 allows a remote attacker to obtain sensitive information via the Add Mycode function. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
An issue in MyBB 1.8.38 allows a remote attacker to obtain sensitive information via the Mail function. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
An issue in MyBB 1.8.38 allows a remote attacker to obtain sensitive information via the Change Avatar function. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
An issue in MyBB 1.8.38 allows a remote attacker to obtain sensitive information via the Import a Theme function. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
A remote code execution vulnerability in MyBB (CVSS 5.3) that allows attackers. Remediation should follow standard vulnerability management procedures. Vendor patch is available.
MyBB versions prior to 1.8.39 contain a local file inclusion (LFI) vulnerability in the upgrade component due to improper input validation (CWE-22). This vulnerability allows authenticated administrators or unauthenticated attackers with access to an unlocked installer to read arbitrary files from the server filesystem. The vulnerability requires either the installer to be accessible via re-installation or the attacker to have administrative privileges, significantly limiting real-world exploitability despite the CVSS 7.2 score.
An issue in MyBB 1.8.38 allows a remote attacker to obtain sensitive information via the Add Mycode function. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
An issue in MyBB 1.8.38 allows a remote attacker to obtain sensitive information via the Mail function. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
An issue in MyBB 1.8.38 allows a remote attacker to obtain sensitive information via the Change Avatar function. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
An issue in MyBB 1.8.38 allows a remote attacker to obtain sensitive information via the Import a Theme function. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.