PT-2014-8895 · Mybb · Mybb
Published
2014-12-03
·
Updated
2014-12-05
·
CVE-2014-9240
CVSS v2.0
7.5
High
| Vector | AV:N/AC:L/Au:N/C:P/I:P/A:P |
Name of the Vulnerable Software and Affected Versions
MyBB versions 1.8.x before 1.8.2
Description
The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the
question id parameter in a "do register" action.Recommendations
For MyBB versions 1.8.x before 1.8.2, update to version 1.8.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the
member.php file or avoiding the use of the question id parameter in the "do register" action until the update is applied.Exploit
Fix
RCE
SQL injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Mybb