Vz

**Name of the Vulnerable Software and Affected Versions** MyBB version 1.8.31 **Description** The issue allows remote authenticated users to modify the query string via direct user input or stored search filter settings in the Admin CP's Users module, resulting in a SQL injection vulnerability. **Recommendations** For MyBB version 1.8.31, consider restricting access to the Admin CP's Users module until a patch is available. As a temporary workaround, avoid using direct user input or stored search filter settings in the affected module to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** MyBB versions prior to 1.8.31 **Description** The issue in MyBB allows access to sensitive information and Remote Code Execution (RCE) through the mail parameters setting value in the Mail Settings → Additional Parameters for PHP's mail() function, in connection with the configured mail program's options and behavior. This requires Admin CP access with the ` Can manage settings? ` permission and may depend on configured file permissions. **Recommendations** For MyBB versions prior to 1.8.31, upgrade to version 1.8.31 or later to resolve the issue. As a temporary workaround, consider restricting access to the Admin CP and limiting the ` Can manage settings? ` permission to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** MyBB versions prior to 1.8.28 **Description** The issue allows stored XSS because the displayed Template Name value in the Admin CP's theme management is not escaped properly. **Recommendations** For versions prior to 1.8.28, update to version 1.8.28 or later to resolve the issue. As a temporary workaround, consider restricting access to the theme management in the Admin CP to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: MyBB versions prior to 1.8.26 Description: The issue is related to SQL Injection vulnerability in MyBB, which occurs via theme properties included in theme XML files. Recommendations: For versions prior to 1.8.26, update to version 1.8.26 or later to resolve the issue.

Name of the Vulnerable Software and Affected Versions: MyBB versions prior to 1.8.26 Description: The issue is related to a SQL Injection vulnerability. It affects the User Groups component. Recommendations: For versions prior to 1.8.26, update to version 1.8.26 or later to resolve the issue.

Name of the Vulnerable Software and Affected Versions: MyBB versions prior to 1.8.26 Description: The issue is related to a SQL Injection vulnerability. It can be exploited via the poll vote count. Recommendations: For versions prior to 1.8.26, update to version 1.8.26 or later to resolve the issue.

Name of the Vulnerable Software and Affected Versions: MyBB versions prior to 1.8.26 Description: The issue is related to a SQL Injection vulnerability. It can be exploited via the Copy Forum feature in Forum Management. Recommendations: For versions prior to 1.8.26, update to version 1.8.26 or later to resolve the issue.