CVE-2011-10018

Exploit

EPSS 47.45%
Veröffentlicht 13.08.2025 20:35:31
Zuletzt bearbeitet 14.08.2025 17:42:18
Quelle disclosure@vulncheck.com
Teams Watchlist Login
Unerledigt Login

myBB version 1.6.4 was distributed with an unauthorized backdoor embedded in the source code. The backdoor allowed remote attackers to execute arbitrary PHP code by injecting payloads into a specially crafted collapsed cookie. This vulnerability was introduced during packaging and was not part of the intended application logic. Exploitation requires no authentication and results in full compromise of the web server under the context of the web application.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 2 Referenzen 8

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Mybb ≫ Mybb Version1.6.4

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	47.45%	0.975

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
disclosure@vulncheck.com	10	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-912 Hidden Functionality

The product contains functionality that is not documented, not part of the specification, and not accessible through an interface or command sequence that is obvious to the product's users or administrators.

CWE-94 Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/mybb_backdoor.rb

Product

https://www.exploit-db.com/exploits/17949

Exploit

https://web.archive.org/web/20111015224948/http://secunia.com/advisories/46300/

Third Party Advisory

https://blog.mybb.com/2011/10/06/1-6-4-security-vulnerabilit/

Vendor Advisory

https://www.vulncheck.com/advisories/mybb-backdoor-arbitrary-command-execution

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2011-10018

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2011-10018

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2011-10018

EUVD