CVE-2024-23336

Name of the Vulnerable Software and Affected Versions MyBB versions prior to 1.8.38

Description The default list of disallowed remote hosts in MyBB does not contain the 127.0.0.0/8 block, which may result in a Server-Side Request Forgery (SSRF) issue. The Configuration File's Disallowed Remote Addresses list ($config['disallowed remote addresses']) contains the address 127.0.0.1, but does not include the complete block 127.0.0.0/8. Administrators of installed boards should update the existing configuration (inc/config.php) to include all addresses blocked by default. Users are advised to verify that it includes any other IPv4 addresses resolving to the server and other internal resources.

Recommendations For MyBB versions prior to 1.8.38, update to MyBB 1.8.38 to resolve the issue. As a temporary workaround, consider manually adding 127.0.0.0/8 to the disallowed address list in the configuration file (inc/config.php) until a patch is available. Restrict access to internal resources and verify that the configuration includes any other IPv4 addresses resolving to the server to minimize the risk of exploitation.