CVE-2022-39265

Mail settings' command parameter injection in mybb

CVSS 7.2 HIGHEPSS 2.2%CWE-74

In short

MyBB forum software allows administrators with settings management permissions to inject commands through mail configuration parameters, potentially leading to sensitive information disclosure or remote code execution on the server.

Technical detail

CWE-74 command injection vulnerability in MyBB's mail settings parameter handling. Requires Admin CP access with settings management permission. Attacker can inject arbitrary commands through the mail_parameters setting, which are passed unsanitized to PHP's mail() function, enabling RCE or information disclosure depending on mail program configuration and file permissions.

Summary generated and translated by AI from the official description.

MyBB is a free and open source forum software. The _Mail Settings_ → Additional Parameters for PHP's mail() function mail_parameters setting value, in connection with the configured mail program's options and behavior, may allow access to sensitive information and Remote Code Execution (RCE). The vulnerable module requires Admin CP access with the `_Can manage settings?_` permission and may depend on configured file permissions. MyBB 1.8.31 resolves this issue with the commit `0cd318136a`. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Affected products

mybb · mybb

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/mybb/mybb/blob/mybb_1830/install/resources/settings.xml#L2331-L2338 https://github.com/mybb/mybb/commit/0cd318136a10b029bb5c8a8f6dddf39d87519797 https://github.com/mybb/mybb/security/advisories/GHSA-hxhm-rq9f-7xj7 https://mybb.com/versions/1.8.31/