What is CVE-2022-24734?

CVE-2022-24734 is a high-severity vulnerability in Mybb, classified under Code Injection. CVSS score: 7.2/10. Published 2022-03-09.

How severe is CVE-2022-24734?

High severity. CVSS v3 base score is 7.2 out of 10.

Is CVE-2022-24734 known to be exploited?

19 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

RCE in Mybb

CVE-2022-24734

MyBB is a free and open source forum software. In affected versions the Admin CP's Settings management module does not validate setting types correctly on insertion and update, making it possible to add settings of supported type `php` wit…

Vulnerability class: RCE (Remote Code Execution)

EPSS: 0.824 (99.2th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 7.2 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H.

Affected products

Mybb — versions >= 1.2.0, < 1.8.30

Weakness classification (CWE)

CWE-94 — Code Injection

Public proof-of-concept exploits

References

github.com/mybb/mybb/security/advisories/GHSA-876v-gwgh-w57f (x_refsource_CONFIRM)
github.com/mybb/mybb/commit/92012b9831b330714b9f9b4646a98784113489c1 (x_refsource_MISC)
mybb.com/versions/1.8.30/ (x_refsource_MISC)
www.zerodayinitiative.com/advisories/ZDI-22-503/ (x_refsource_MISC)
packetstormsecurity.com/files/167082/MyBB-1.8.29-Remote-Code-Execution.html (x_refsource_MISC)
packetstormsecurity.com/files/167333/MyBB-Admin-Control-Remote-Code-Execution.h… (x_refsource_MISC)

Frequently asked questions

What is CVE-2022-24734?: CVE-2022-24734 is a high-severity vulnerability in Mybb, classified under Code Injection. CVSS score: 7.2/10. Published 2022-03-09.
How severe is CVE-2022-24734?: High severity. CVSS v3 base score is 7.2 out of 10.
Is CVE-2022-24734 known to be exploited?: 19 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.