CVE-2022-39265

CVSS V2 None CVSS V3 High 7.2
Description
MyBB is a free and open source forum software. The _Mail Settings_ ? Additional Parameters for PHP's mail() function mail_parameters setting value, in connection with the configured mail program's options and behavior, may allow access to sensitive information and Remote Code Execution (RCE). The vulnerable module requires Admin CP access with the `_Can manage settings?_` permission and may depend on configured file permissions. MyBB 1.8.31 resolves this issue with the commit `0cd318136a`. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Overview
  • CVE ID
  • CVE-2022-39265
  • Assigner
  • security-advisories@github.com
  • Vulnerability Status
  • Analyzed
  • Published Version
  • 2022-10-06T18:16:12
  • Last Modified Date
  • 2023-03-01T18:08:06
Weakness Enumerations
CWE URL
CWE-74 http://cwe.mitre.org/data/definitions/74.html
CWE-77 http://cwe.mitre.org/data/definitions/77.html
CPE Configuration (Product)
CPE Vulnerable Operator Version Start Version End
cpe:2.3:a:mybb:mybb:*:*:*:*:*:*:*:* 1 OR 1.8.31
CVSS Version 3
  • Version
  • 3.1
  • Vector String
  • CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
  • Attack Vector
  • NETWORK
  • Attack Compatibility
  • LOW
  • Privileges Required
  • HIGH
  • User Interaction
  • NONE
  • Scope
  • UNCHANGED
  • Confidentiality Impact
  • HIGH
  • Availability Impact
  • HIGH
  • Base Score
  • 7.2
  • Base Severity
  • HIGH
  • Exploitability Score
  • 1.2
  • Impact Score
  • 5.9
References
Reference URL Reference Tags
https://mybb.com/versions/1.8.31/
https://github.com/mybb/mybb/security/advisories/GHSA-hxhm-rq9f-7xj7
https://github.com/mybb/mybb/commit/0cd318136a10b029bb5c8a8f6dddf39d87519797
https://github.com/mybb/mybb/blob/mybb_1830/install/resources/settings.xml#L2331-L2338
Sources
Source Name Source URL
NIST https://nvd.nist.gov/vuln/detail/CVE-2022-39265
MITRE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39265
History
Created Old Value New Value Data Type Notes
2022-10-06 19:00:57 Added to TrackCVE
2022-12-07 05:34:08 2022-10-06T18:16Z 2022-10-06T18:16:12 CVE Published Date updated
2022-12-07 05:34:08 2022-12-02T20:41:26 CVE Modified Date updated
2022-12-07 05:34:08 Analyzed Vulnerability Status updated
2022-12-07 05:34:09 CWE-77 Weakness Enumeration updated
2023-01-25 02:13:26 2023-01-25T02:01:10 CVE Modified Date updated
2023-01-25 02:13:26 Analyzed Modified Vulnerability Status updated
2023-01-25 02:13:26 Weakness Enumeration update
2023-01-26 13:14:22 Modified Undergoing Analysis Vulnerability Status updated
2023-03-01 18:12:53 2023-03-01T18:08:06 CVE Modified Date updated
2023-03-01 18:12:53 Undergoing Analysis Analyzed Vulnerability Status updated