Description

MyBB before 1.8.29 allows Remote Code Injection by an admin with the "Can manage settings?" permission. The Admin CP's Settings management module does not validate setting types correctly on insertion and update, making it possible to add settings of supported type "php" with PHP code, executed on Change Settings pages.

Remediation

References

CVE-2021-43281

Related Vulnerabilities

Internet Information Services Other Vulnerability (CVE-2003-0718)

WordPress Plugin Giveaway SQL Injection (1.2.2)

Oracle Database Server CVE-2011-0879 Vulnerability (CVE-2011-0879)

WordPress Plugin Delete All Comments Easily Cross-Site Request Forgery (1.3)

Atlassian Jira CVE-2020-36237 Vulnerability (CVE-2020-36237)

Severity

High

Classification

CVE-2021-43281 CWE-94 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities