Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
6.5
CVSSv2

CVE-2022-24734

Published: 09/03/2022 Updated: 30/09/2022
CVSS v2 Base Score: 6.5 | Impact Score: 6.4 | Exploitability Score: 8
CVSS v3 Base Score: 7.2 | Impact Score: 5.9 | Exploitability Score: 1.2
VMScore: 580
Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P
Subscribe to Mybb

Vulnerability Summary

This vulnerability allows remote malicious users to execute arbitrary code on affected installations of MyBB. Authentication is required to exploit this vulnerability. The specific flaw exists within the Control Panel. The issue results from the lack of proper validation of a user-supplied string before using it to construct server-side code. An attacker can leverage this vulnerability to execute code in the context of the www-data user.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

mybb mybb

Exploits

Exploit DB: MyBB Admin Control Remote Code Execution
This Metasploit module exploits an improper input validation vulnerability in MyBB versions prior to 1830 to execute arbitrary code in the context of the user running the application The MyBB Admin Control setting page calls the PHP eval function with unsanitized user input The exploit adds a new setting, injecting the payload in the vulnerable ...
Exploit DB: MyBB 1.8.29 Remote Code Execution
MyBB version 1829 suffers from a remote code execution vulnerability ...

Github Repositories

https://github.com/Altelus1/CVE-2022-24734

CVE-2022-24734 PoC

CVE-2022-24734 PoC An RCE can be obtained on MyBB's Admin CP in Configuration -> Add New Setting The user must have a rights to add or update setting This is tested on MyBB 1829

https://github.com/lavclash75/mybb-CVE-2022-24734

MyBB 1.8.29 - Remote Code Execution

mybb-CVE-2022-24734 MyBB 1829 - Remote Code Execution git clone githubcom/lavclash75/mybb-CVE-2022-24734git cd "mybb-CVE-2022-24734" docker-compose down docker system prune -a docker rm -f $(docker ps -a -q) docker volume rm $(docker volume ls -q) docker-compose up -d

References

CWE-94https://mybb.com/versions/1.8.30/https://github.com/mybb/mybb/commit/92012b9831b330714b9f9b4646a98784113489c1https://github.com/mybb/mybb/security/advisories/GHSA-876v-gwgh-w57fhttps://www.zerodayinitiative.com/advisories/ZDI-22-503/http://packetstormsecurity.com/files/167082/MyBB-1.8.29-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/167333/MyBB-Admin-Control-Remote-Code-Execution.htmlhttps://nvd.nist.govhttps://github.com/Altelus1/CVE-2022-24734https://packetstormsecurity.com/files/167333/MyBB-Admin-Control-Remote-Code-Execution.htmlhttps://www.zerodayinitiative.com/advisories/ZDI-22-503/
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2020-4463CVE-2024-3400deserializationCVE-2024-21788CVE-2023-42433CVE-2024-21841CVE-2024-22095local file inclusionmemory leak
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook