CVE-2024-23336

MyBB is a free and open source forum software. The default list of disallowed remote hosts does not contain the `127.0.0.0/8` block, which may result in a Server-Side Request Forgery (SSRF) vulnerability. The Configuration File's _Disallowed Remote Addresses_ list (`$config['disallowed_remote_addresses']`) contains the address `127.0.0.1`, but does not include the complete block `127.0.0.0/8`. MyBB 1.8.38 resolves this issue in default installations. Administrators of installed boards should update the existing configuration (`inc/config.php`) to include all addresses blocked by default. Additionally, users are advised to verify that it includes any other IPv4 addresses resolving to the server and other internal resources. Users unable to upgrade may manually add 127.0.0.0/8' to their disallowed address list.

CVSS v3 5.0 MEDIUM

5.0^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.6 / Impact : 3.4

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://docs.mybb.com/1.8/administration/configuration-file
https://github.com/mybb/mybb/commit/d6a96019025de9149014e06b1df252e6122e5630
https://github.com/mybb/mybb/security/advisories/GHSA-qfrj-65mv-h75h
https://mybb.com/versions/1.8.38

Configurations

No configuration.

History

01 May 2024, 07:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-05-01 07:15

Updated : 2024-05-01 13:01

NVD link : CVE-2024-23336

Mitre link : CVE-2024-23336

CVE.ORG link : CVE-2024-23336

JSON object : View

Products Affected

No product.

CWE

CWE-184

Incomplete List of Disallowed Inputs

CWE-918

Server-Side Request Forgery (SSRF)

5.0 /10