In versions prior to 1.8.30, MyBB's Settings module allows adding settings of type php, with PHP code executed on Change Settings pages. This results in a RCE vulnerability, since the code can be used to perform any action depending on the php code. There are no known workarounds. The vulnerability is present in all MyBB 1.8.x versions, including the official release 1.8.30. In all MyBB 1.8.x versions, and in all versions prior to 1.8.30, the Settings management module allows adding settings of type php, with PHP code executed on Change Settings pages. This results in a RCE vulnerability, since the code can be used to perform any action depending on the php code. There are no known workarounds. The vulnerability is present in all MyBB 1.8.x versions, including the official release 1.8.30. What's Fixed in MyBB 1.8.30? The Settings management module was fixed in 1.8.30. Note that this does not affect users with the 1.8.x releases prior to 1.8.30. What's Fixed in MyBB 1.2.0? - In all MyBB 1.2.x versions, and in all versions prior to 1.2.0 (including the official release 1.2.0), the Settings management module allows adding settings of type php, with PHP code executed on Change Settings

Overview

The vulnerability is present in all MyBB 1.8.x versions, including the official release 1.8.30 and earlier versions. All MyBB 1.8.x versions are affected, as well as all MyBB 1.2.x versions and earlier releases

What are the risks of using MyBB?

The Settings management module was fixed in 1.8.30. Note that this does not affect users with the 1.8.x releases prior to 1.8.30

Timeline

Published on: 03/09/2022 22:15:00 UTC
Last modified on: 06/02/2022 14:15:00 UTC

References