A pair of critical vulnerabilities in a popular bulletin board software called MyBB could have been chained together to achieve remote code execution (RCE) without the need for prior access to a privileged account.
The flaws, which were discovered by independent security researchers Simon Scannell and Carl Smith, were reported to the MyBB Team on February 22, following which it released an update (version 1.8.26) on March 10 addressing the issues.
MyBB, formerly MyBBoard and originally MyBulletinBoard, is free and open-source forum software developed using PHP and MySQL.
According to the researchers, the first issue — a nested auto URL persistent XSS vulnerability (CVE-2021-27889) — stems from how MyBB parses messages containing URLs during the rendering process, thus enabling any unprivileged forum user to embed stored XSS payloads into threads, posts, and even private messages.
"The vulnerability can be exploited with minimal user interaction by saving a maliciously crafted MyCode message on the server (e.g. as a post or Private Message) and pointing a victim to a page where the content is parsed," MyBB said in an advisory.
The second vulnerability concerns an SQL injection (CVE-2021-27890) in a forum's theme manager that could result in an authenticated RCE. A successful exploitation occurs when a forum administrator with the "Can manage themes?" permission imports a maliciously crafted theme, or a user, for whom ..
Support the originator by clicking the read the rest link below.
