CVE-2023-41362

Published Aug 29, 2023

Last updated a year ago

Overview

Description: MyBB before 1.8.36 allows Code Injection by users with certain high privileges. Templates in Admin CP intentionally use eval, and there was some validation of the input to eval, but type juggling interfered with this when using PCRE within PHP.
Source: cve@mitre.org
NVD status: Modified

Risk scores

CVSS 3.1

Type: Primary
Base score: 7.2
Impact score: 5.9
Exploitability score: 1.2
Vector string: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Severity: HIGH

Weaknesses

nvd@nist.gov: CWE-94

Hype score: Not currently trending

MyBB Admin Panel RCE CVE-2023-41362 https://t.co/vD5u2HlWEf #Pentesting #CyberSecurity #Infosec https://t.co/nRsSke7ro7
@ptracesecurity
Oct 22, 2024 2:00 AM
1358 Impressions
3 Retweets
11 Likes
5 Bookmarks
0 Replies
0 Quotes

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:mybb:mybb:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "BB1F809C-701C-452A-9E80-B91FF79CF7AC",
            "versionEndExcluding": "1.8.36"
          }
        ],
        "operator": "OR"
      }
    ]
  }
]

References