CVE-2024-23335
MEDIUMMyBB < 1.8.38 - Unauthenticated Backup File Exposure via .htaccess Deletion
Title source: llmDescription
MyBB is a free and open source forum software. The backup management module of the Admin CP may accept `.htaccess` as the name of the backup file to be deleted, which may expose the stored backup files over HTTP on Apache servers. MyBB 1.8.38 resolves this issue. Users are advised to upgrade. There are no known workarounds for this vulnerability
References (3)
Core 3
Core References
Vendor Advisory x_refsource_confirm
https://github.com/mybb/mybb/security/advisories/GHSA-94xr-g4ww-j47r
Patch x_refsource_misc
https://github.com/mybb/mybb/commit/450259e501b94c9d483efb167cb2bf875605e111.patch
Product, Release Notes x_refsource_misc
https://mybb.com/versions/1.8.38
Scores
CVSS v3
4.7
EPSS
0.0056
EPSS Percentile
42.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-20
Status
published
Products (1)
mybb/mybb
< 1.8.38
Published
May 01, 2024
Tracked Since
Feb 18, 2026