CVE-2023-53979

MyBB 1.8.32 Authenticated Remote Code Execution via Chained Vulnerabilities

CVSS 8.6 HIGHEPSS 0.7%CWE-22

In short

MyBB 1.8.32 allows logged-in administrators to upload malicious files by bypassing upload restrictions and then execute harmful code on the server. This happens because the software doesn't properly validate file uploads and allows editing of settings that control where files are stored.

Technical detail

An authenticated administrator can chain multiple vulnerabilities to achieve RCE: modify upload directory settings via configuration, upload a PHP-embedded image file that bypasses avatar upload validation (CWE-22 path traversal), and execute arbitrary code through the language configuration interface. Requires admin-level privileges but achieves complete code execution on the target system.

Summary generated and translated by AI from the official description.

MyBB 1.8.32 contains a chained vulnerability that allows authenticated administrators to bypass avatar upload restrictions and execute arbitrary code. Attackers can modify upload path settings, upload a malicious PHP-embedded image file, and execute commands through the language configuration editing interface.

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected products

Mybb · MyBB

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://fdlucifer.github.io/2023/01/17/mybb1-8-32-LFI-RCE/https://mybb.com/https://www.cve.org/CVERecord?id=CVE-2022-45867 https://www.exploit-db.com/exploits/51213 https://www.vulncheck.com/advisories/mybb-authenticated-remote-code-execution-via-chained-vulnerabilities