Impact
The Mail Settings → Additional Parameters for PHP's mail() (mail_parameters) setting value, in connection with the configured mail program's options and behavior, may allow access to sensitive information and Remote Code Execution (RCE).
The vulnerable module requires Admin CP access with the Can manage settings? permission and may depend on configured file permissions.
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Patches
While the customization of program parameters may have legitimate uses, their modification using the Admin CP was determined too risky. Therefore, the source of the value has been moved to the Configuration File, requiring existing write access to application files.
MyBB 1.8.31 resolves this issue with the following changes:
References
For more information
Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
Contact
The security team can be reached at security@mybb.com.
Impact
The Mail Settings → Additional Parameters for PHP's mail() (mail_parameters) setting value, in connection with the configured mail program's options and behavior, may allow access to sensitive information and Remote Code Execution (RCE).
The vulnerable module requires Admin CP access with the Can manage settings? permission and may depend on configured file permissions.
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Patches
While the customization of program parameters may have legitimate uses, their modification using the Admin CP was determined too risky. Therefore, the source of the value has been moved to the Configuration File, requiring existing write access to application files.
MyBB 1.8.31 resolves this issue with the following changes:
.patch: https://github.com/mybb/mybb/commit/0cd318136a10b029bb5c8a8f6dddf39d87519797.patchReferences
For more information
Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
Contact
The security team can be reached at security@mybb.com.