Impact

SQL injection vulnerability in the Admin CP's Users module allows remote authenticated users to modify the query string via direct user input or stored search filter settings.

The vulnerable module requires Admin CP access with the Can manage users? permission.

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Details

Column names related to custom profile fields, used in SQL queries constructed in the build_users_view() function - used for applying views, showing referred users, and searching for users - are not escaped correctly, resulting in a SQL injection vulnerability.

The vulnerable string $userfield_sql is used in an SQL query executed at:
https://github.com/mybb/mybb/blob/mybb_1831/admin/modules/user/users.php#L3459

Patches

MyBB 1.8.32 resolves this issue with the following changes:

• Commit: 68b7abe
  • .patch: https://github.com/mybb/mybb/commit/68b7abe2bcddf663eefe733163ff2c0f33205609.patch

References

• Release Notes: https://mybb.com/versions/1.8.32/

For more information

Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.

Contact

The security team can be reached at security@mybb.com.