PT-2026-57216 · Simple Machines · Smf

Elure

+1

·

Publicado

2026-07-10

·

Atualizado

2026-07-10

·

CVE-2026-39903

CVSS v3.1

7.1

Alta

VetorAV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
Simple Machines Forum 2.1 prior to 2.1.8 and 3.0 prior to 3.0 Alpha 5 contains an authorization bypass vulnerability in Sources/Actions/AttachmentApprove.php where a single-character operator error causes the permission check to always pass regardless of user permissions. An authenticated low-privileged user can approve, reject, or delete any pending attachments on any board without holding the required approve posts permission, bypass moderation queues for their own uploads, and enumerate and delete other users' pending attachments.

Correção

Incorrect Authorization

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

Enumeração de Fraquezas

Identificadores relacionados

CVE-2026-39903

Produtos afetados

Smf