CVE-2021-43281
HIGHMyBB 1.2.0-1.8.28 - Authenticated Remote Code Injection via Admin CP Settings Management
Title source: llmDescription
MyBB before 1.8.29 allows Remote Code Injection by an admin with the "Can manage settings?" permission. The Admin CP's Settings management module does not validate setting types correctly on insertion and update, making it possible to add settings of supported type "php" with PHP code, executed on Change Settings pages.
References (1)
Core 1
Core References
Patch, Release Notes, Third Party Advisory x_refsource_confirm
https://github.com/mybb/mybb/security/advisories/GHSA-8gxx-vmr9-h39p
Scores
CVSS v3
7.2
EPSS
0.0129
EPSS Percentile
66.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-94
Status
published
Products (1)
mybb/mybb
1.2.0 - 1.8.29
Published
Nov 04, 2021
Tracked Since
Feb 18, 2026