CVE-2022-24734

Name of the Vulnerable Software and Affected Versions MyBB versions prior to 1.8.30

Description The issue is related to the Admin CP's Settings management module, which does not validate setting types correctly on insertion and update. This allows an attacker to add settings of supported type php with PHP code, executed on Change Settings pages, resulting in a Remote Code Execution (RCE) vulnerability. The vulnerable module requires Admin CP access with the Can manage settings? permission. MyBB's Settings module stores setting data in an options code string ($options code; mybb settings.optionscode database column) that identifies the setting type and its options, separated by a new line character ( ). The vulnerability can be exploited by remote attackers who have authentication access to the Control Panel.

Recommendations For MyBB versions prior to 1.8.30, update to version 1.8.30 to resolve the issue. As a temporary workaround, consider restricting access to the Admin CP's Settings management module to minimize the risk of exploitation. Additionally, restrict the use of the php setting type until the issue is resolved.