Impact
The backup management module of the Admin CP may accept .htaccess as the name of the backup file to be deleted, which may expose the stored backup files over HTTP on Apache servers.
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
Patches
MyBB 1.8.38 resolves this issue with the following changes:
References
For more information
Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
Contact
The security team can be reached at security@mybb.com.
Impact
The backup management module of the Admin CP may accept
.htaccessas the name of the backup file to be deleted, which may expose the stored backup files over HTTP on Apache servers.CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
Patches
MyBB 1.8.38 resolves this issue with the following changes:
.patch: https://github.com/mybb/mybb/commit/450259e501b94c9d483efb167cb2bf875605e111.patchReferences
For more information
Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
Contact
The security team can be reached at security@mybb.com.