CVE-2023-41362
Severity Score
7.2
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
Attend
*SSVC
Descriptions
MyBB before 1.8.36 allows Code Injection by users with certain high privileges. Templates in Admin CP intentionally use eval, and there was some validation of the input to eval, but type juggling interfered with this when using PCRE within PHP.
MyBB anterior a 1.8.36 permite la inyección de código por parte de usuarios con ciertos privilegios elevados. Las plantillas en Admin CP usan intencionalmente eval, y hubo cierta validación de la entrada para eval, pero el malabarismo de tipos interfirió con esto cuando se usaba PCRE dentro de PHP.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:Attend
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2023-08-29 CVE Reserved
- 2023-08-29 CVE Published
- 2024-10-01 CVE Updated
- 2024-10-12 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-94: Improper Control of Generation of Code ('Code Injection')
CAPEC
References (4)
| URL | Tag | Source |
|---|---|---|
| https://blog.sorcery.ie/posts/mybb_acp_rce | ||
| https://mybb.com/versions/1.8.36 | Release Notes |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://github.com/mybb/mybb/commit/a43a6f22944e769a6eabc58c39e7bc18c1cab4ca.patch | 2023-09-11 | |
| https://github.com/mybb/mybb/security/advisories/GHSA-pr74-wvp3-q6f5 | 2023-09-11 |
| URL | Date | SRC |
|---|