Description
In MyBB before 1.8.21, an attacker can abuse a default behavior of MySQL on many systems (that leads to truncation of strings that are too long for a database column) to create a PHP shell in the cache directory of a targeted forum via a crafted XML import, as demonstrated by truncation of aaaaaaaaaaaaaaaaaaaaaaaaaa.php.css to aaaaaaaaaaaaaaaaaaaaaaaaaa.php with a 30-character limit, aka theme import stylesheet name RCE.
Remediation
References
Related Vulnerabilities
WordPress Plugin Newsletter-Send awesome emails from WordPress Cross-Site Scripting (4.6.0)
Apache HTTP Server Improper Locking Vulnerability (CVE-2009-2699)
WordPress Plugin Yahoo! Updates for WordPress Multiple Cross-Site Scripting Vulnerabilities (1.0)
MySQL CVE-2023-21878 Vulnerability (CVE-2023-21878)
WordPress Plugin WP SEO Redirect 301 Cross-Site Request Forgery (2.3.1)