CVE-2021-43281
Severity Score
7.2
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
MyBB before 1.8.29 allows Remote Code Injection by an admin with the "Can manage settings?" permission. The Admin CP's Settings management module does not validate setting types correctly on insertion and update, making it possible to add settings of supported type "php" with PHP code, executed on Change Settings pages.
MyBB versiones anteriores a 1.8.29, permite una Inyección de Código Remota por parte de un administrador con el permiso "Can manage settings?". El módulo de administración de configuraciones del CP del Administrador no comprueba correctamente los tipos de configuraciones al insertarlas y actualizarlas, haciendo posible añadir configuraciones del tipo "php" con código PHP, ejecutado en las páginas de cambio de configuraciones
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2021-11-02 CVE Reserved
- 2021-11-04 CVE Published
- 2023-05-28 EPSS Updated
- 2024-08-04 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-94: Improper Control of Generation of Code ('Code Injection')
CAPEC
References (1)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://github.com/mybb/mybb/security/advisories/GHSA-8gxx-vmr9-h39p | 2021-11-05 |
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Mybb Search vendor "Mybb" | Mybb Search vendor "Mybb" for product "Mybb" | >= 1.2.0 < 1.8.29 Search vendor "Mybb" for product "Mybb" and version " >= 1.2.0 < 1.8.29" | - |
Affected
| ||||||