SQL Injection Vulnerability in MyBB’s Group Promotions Module
CVE-2015-8974

10CRITICAL

Key Information:

Vendor

Mybb

Status
Mybb
Merge System
Vendor
CVE Published:
31 January 2017

What is CVE-2015-8974?

An SQL injection vulnerability exists in the Group Promotions module of MyBB's admin control panel, affecting versions prior to 1.6.18 and 1.8.x before 1.8.6, as well as the MyBB Merge System before version 1.8.6. This vulnerability allows remote attackers to execute arbitrary SQL commands through unspecified vectors, potentially compromising the integrity of the database and exposing sensitive information.

References

https://blog.mybb.com/2015/09/07/mybb-1-8-6-1-6-18-merge-...
x_refsource_CONFIRM
http://www.securityfocus.com/bid/94397
vdb-entryx_refsource_BID
http://www.openwall.com/lists/oss-security/2016/11/18/1
mailing-listx_refsource_MLIST

CVSS V3.1

Score:
10
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.