CVE-2024-23336

EPSS 0.11%
Veröffentlicht 01.05.2024 07:15:38
Zuletzt bearbeitet 30.06.2025 15:10:32
Quelle security-advisories@github.com
Teams Watchlist Login
Unerledigt Login

MyBB is a free and open source forum software. The default list of disallowed remote hosts does not contain the `127.0.0.0/8` block, which may result in a Server-Side Request Forgery (SSRF) vulnerability. The Configuration File's _Disallowed Remote Addresses_ list (`$config['disallowed_remote_addresses']`) contains the address `127.0.0.1`, but does not include the complete block `127.0.0.0/8`. MyBB 1.8.38 resolves this issue in default installations. Administrators of installed boards should update the existing configuration (`inc/config.php`) to include all addresses blocked by default. Additionally, users are advised to verify that it includes any other IPv4 addresses resolving to the server and other internal resources. Users unable to upgrade may manually add 127.0.0.0/8' to their disallowed address list.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 2 Referenzen 7

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Mybb ≫ Mybb Version < 1.8.38

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.11%	0.302

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	5	1.6	3.4	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE-184 Incomplete List of Disallowed Inputs

The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete.

CWE-918 Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

https://mybb.com/versions/1.8.38

Product

Release Notes

https://docs.mybb.com/1.8/administration/configuration-file

Product

https://github.com/mybb/mybb/commit/d6a96019025de9149014e06b1df252e6122e5630

Patch

https://github.com/mybb/mybb/security/advisories/GHSA-qfrj-65mv-h75h

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2024-23336

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-23336

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-23336

EUVD