First published: Thu Nov 04 2021(Updated: )
MyBB before 1.8.29 allows Remote Code Injection by an admin with the "Can manage settings?" permission. The Admin CP's Settings management module does not validate setting types correctly on insertion and update, making it possible to add settings of supported type "php" with PHP code, executed on Change Settings pages.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Mybb Mybb | >=1.2.0<1.8.29 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2021-43281 is a vulnerability identified in MyBB before version 1.8.29 which allows Remote Code Injection by an admin with the "Can manage settings?" permission.
The severity of CVE-2021-43281 is rated as high with a severity value of 7.2.
CVE-2021-43281 allows an admin with the "Can manage settings?" permission to inject remote code into MyBB before version 1.8.29, potentially leading to security breaches.
To fix CVE-2021-43281, it is recommended to update MyBB to version 1.8.29 or higher, which has addressed this vulnerability.
You can find more information about CVE-2021-43281 on the GitHub Security Advisory page at https://github.com/mybb/mybb/security/advisories/GHSA-8gxx-vmr9-h39p.