Improper Privilege Management in MyBB - CVE-2018-1000503
Published: June 26, 2018 / Updated: July 17, 2020
Vulnerability identifier: #VU31278
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2018-1000503
CWE-ID: CWE-269
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: MyBB Group
Affected software:
MyBB
MyBB
Detailed vulnerability description
The vulnerability allows a remote authenticated user to gain access to sensitive information.
MyBB Group MyBB contains a Incorrect Access Control vulnerability in Private forums that can result in Users can view posts from private forums without having the password. This attack appear to be exploitable via Subscribe to a forum through IDOR. This vulnerability appears to have been fixed in 1.8.15.
How to mitigate CVE-2018-1000503
Install update from vendor's website.