CVE-2024-23336

low-risk

Published 2024-05-01

MyBB is a free and open source forum software. The default list of disallowed remote hosts does not contain the `127.0.0.0/8` block, which may result in a Server-Side Request Forgery (SSRF) vulnerability. The Configuration File's _Disallowed Remote Addresses_ list (`$config['disallowed_remote_addresses']`) contains the address `127.0.0.1`, but does not include the complete block `127.0.0.0/8`. MyBB 1.8.38 resolves this issue in default installations. Administrators of installed boards should update the existing configuration (`inc/config.php`) to include all addresses blocked by default. Additionally, users are advised to verify that it includes any other IPv4 addresses resolving to the server and other internal resources. Users unable to upgrade may manually add 127.0.0.0/8' to their disallowed address list.

Do I need to act?

0.11% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 5.0/10 Medium

NETWORK / HIGH complexity

Affected Products (1)

Mybb

Affected Vendors

Mybb

References (8)

Product https://docs.mybb.com/1.8/administration/configuration-file

Patch https://github.com/mybb/mybb/commit/d6a96019025de9149014e06b1df252e6122e5630

Vendor Advisory https://github.com/mybb/mybb/security/advisories/GHSA-qfrj-65mv-h75h

Product https://mybb.com/versions/1.8.38

Product https://docs.mybb.com/1.8/administration/configuration-file

Patch https://github.com/mybb/mybb/commit/d6a96019025de9149014e06b1df252e6122e5630

Vendor Advisory https://github.com/mybb/mybb/security/advisories/GHSA-qfrj-65mv-h75h

Product https://mybb.com/versions/1.8.38

/ 100

low-risk

Severity 16/34 · Moderate

Exploitability 0/34 · Minimal

Exposure 5/34 · Minimal