CVE-2019-12363

Name of the Vulnerable Software and Affected Versions JN-Jones MyBB-2FA plugin through 2014-11-05 for MyBB

Description A CSRF issue allows an attacker to forge a request to control the state of the mybb2fa plugin via "usercp.php?action=mybb2fa&do=deactivate" or "usercp.php?action=mybb2fa&do=activate" API endpoints, specifically by manipulating the do parameter. This can lower the security of the targeted account by disabling two-factor authentication.

Recommendations For JN-Jones MyBB-2FA plugin through 2014-11-05, consider disabling the mybb2fa plugin until a patch is available to prevent exploitation. Restrict access to the "usercp.php?action=mybb2fa&do=deactivate" and "usercp.php?action=mybb2fa&do=activate" API endpoints to minimize the risk of exploitation.