CVE-2024-23335

May 1, 2024, 1:01 p.m.

4.7
Medium

Description

MyBB is a free and open source forum software. The backup management module of the Admin CP may accept `.htaccess` as the name of the backup file to be deleted, which may expose the stored backup files over HTTP on Apache servers. MyBB 1.8.38 resolves this issue. Users are advised to upgrade. There are no known workarounds for this vulnerability

Product(s) Impacted

Product Versions
MyBB
  • ['1.8.38 and earlier']
MyBB
  • ['1.8.37 and prior']

Weaknesses

Common security weaknesses mapped to this vulnerability.

References

https://github.com/mybb/mybb/commit/450259e501b94c9d483efb167cb2bf875605e111.patch
https://github.com/mybb/mybb/security/advisories/GHSA-94xr-g4ww-j47r
https://mybb.com/versions/1.8.38

Tags

2024-05-01
CWE-20
security-advisories@github.com
CVE-2024-23335

CVSS Score

4.7 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: HIGH
  • Scope: UNCHANGED
  • Confidentiality Impact: LOW
  • Integrity Impact: LOW
  • Availability Impact: LOW

    • CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

    View Vector String

Timeline

Published: May 1, 2024, 7:15 a.m.
Last Modified: May 1, 2024, 1:01 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security-advisories@github.com

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.