Headline
CVE-2022-43709: ACP Users SQL injection
MyBB 1.8.31 has a SQL injection vulnerability in the Admin CP’s Users module allows remote authenticated users to modify the query string via direct user input or stored search filter settings.
Impact
SQL injection vulnerability in the Admin CP’s Users module allows remote authenticated users to modify the query string via direct user input or stored search filter settings.
The vulnerable module requires Admin CP access with the Can manage users? permission.
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Details
Column names related to custom profile fields, used in SQL queries constructed in the build_users_view() function - used for applying views, showing referred users, and searching for users - are not escaped correctly, resulting in a SQL injection vulnerability.
The vulnerable string $userfield_sql is used in an SQL query executed at:
https://github.com/mybb/mybb/blob/mybb_1831/admin/modules/user/users.php#L3459
Patches
MyBB 1.8.32 resolves this issue with the following changes:
- Commit: 68b7abe
- .patch: https://github.com/mybb/mybb/commit/68b7abe2bcddf663eefe733163ff2c0f33205609.patch
References
- Release Notes: https://mybb.com/versions/1.8.32/
For more information
Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
Contact
The security team can be reached at [email protected].