CVE-2019-12831

Name of the Vulnerable Software and Affected Versions MyBB versions prior to 1.8.21

Description The issue allows an attacker to create a PHP shell in the cache directory of a targeted forum via a crafted XML import. This is achieved by exploiting a default behavior of MySQL on many systems, where strings that are too long for a database column are truncated. For example, a string like aaaaaaaaaaaaaaaaaaaaaa.php.css can be truncated to aaaaaaaaaaaaaaaaaaaaaa.php due to a 30-character limit, leading to remote code execution.

Recommendations For MyBB versions prior to 1.8.21, update to version 1.8.21 or later to resolve the issue.