Inclusion of Functionality from Untrusted Control Sphere in MyBB - CVE-2018-1000502
Published: June 26, 2018 / Updated: July 17, 2020
Vulnerability identifier: #VU31277
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2018-1000502
CWE-ID: CWE-829
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: MyBB Group
Affected software:
MyBB
MyBB
Detailed vulnerability description
The vulnerability allows a remote privileged user to execute arbitrary code.
MyBB Group MyBB contains a File Inclusion vulnerability in Admin panel (Tools and Maintenance -> Task Manager -> Add New Task) that can result in Allows Local File Inclusion on modern PHP versions and Remote File Inclusion on ancient PHP versions. This attack appear to be exploitable via Must have access to admin panel. This vulnerability appears to have been fixed in 1.8.15.
How to mitigate CVE-2018-1000502
Install update from vendor's website.