Lucene search

GitHub_MCVELIST:CVE-2024-23335

HistoryMay 01, 2024 - 6:27 a.m.

CVE-2024-23335 Backups directory .htaccess deletion in. MyBB

2024-05-0106:27:42

CWE-20

GitHub_M

www.cve.org

cve-2024-23335

mybb

forum software

backup management

admin cp

apache servers

upgrade

vulnerability

4.7 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

5 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

15.5%

JSON

MyBB is a free and open source forum software. The backup management module of the Admin CP may accept .htaccess as the name of the backup file to be deleted, which may expose the stored backup files over HTTP on Apache servers. MyBB 1.8.38 resolves this issue. Users are advised to upgrade. There are no known workarounds for this vulnerability

CNA Affected

[
  {
    "vendor": "mybb",
    "product": "mybb",
    "versions": [
      {
        "version": "< 1.8.38",
        "status": "affected"
      }
    ]
  }
]

References

github.com/mybb/mybb/commit/450259e501b94c9d483efb167cb2bf875605e111.patch

github.com/mybb/mybb/security/advisories/GHSA-94xr-g4ww-j47r

mybb.com/versions/1.8.38