A vulnerability, which was classified as problematic, has been found in MyBB (Content Management System). This issue affects some unknown processing. The manipulation with an unknown input leads to a information disclosure vulnerability. Using CWE to declare the problem leads to CWE-200. The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. Impacted is confidentiality. The summary by CVE is:

MyBB (aka MyBulletinBoard) before 1.4.12 does not properly handle a configuration with a visible forum that contains hidden threads, which allows remote attackers to obtain sensitive information by reading the Latest Threads block of the Portal Page.

The weakness was released 12/30/2010 (Website). The advisory is shared at blog.mybb.com. The identification of this vulnerability is CVE-2010-4625 since 12/30/2010. The exploitation is known to be easy. The attack may be initiated remotely. No form of authentication is needed for a successful exploitation. Neither technical details nor an exploit are publicly available. MITRE ATT&CK project uses the attack technique T1592 for this issue.

Upgrading to version 1.2.0 eliminates this vulnerability.

The vulnerability is also documented in the vulnerability database at X-Force (64517). Entries connected to this vulnerability are available at 55905, 55904, 55903 and 55902.

Productinfo

Type

• Content Management System

Name

• MyBB

Version

• 1.00
• 1.01
• 1.02
• 1.03
• 1.04
• 1.1.0
• 1.1.1
• 1.1.2
• 1.1.3
• 1.1.4
• 1.1.5
• 1.1.6
• 1.1.7
• 1.1.8
• 1.2.0
• 1.2.1
• 1.2.2
• 1.2.3
• 1.2.4
• 1.2.5
• 1.2.6
• 1.2.7
• 1.2.8
• 1.2.9
• 1.2.10
• 1.2.11
• 1.2.12
• 1.2.13
• 1.4.0
• 1.4.2
• 1.4.3
• 1.4.6
• 1.4.8
• 1.4.9
• 1.4.10
• 1.4.11

License

• open-source

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion