Cyber Resilience

CVE-2022-24734

HighPublic PoCRCE

Published: 09 March 2022

Published
09 March 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.8241 99.2th percentile
Risk Priority 64 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-24734 is a high-severity Code Injection (CWE-94) vulnerability in Mybb Mybb. Its CVSS base score is 7.2 (High).

Operationally, ranked in the top 0.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

MyBB, an open-source forum application, contains a flaw in its Admin CP Settings management module that fails to validate setting types on insertion or update. This permits creation of settings with the supported type "php", whose options code is then executed as PHP on Change Settings pages. The issue stems from the module's handling of the optionscode database column, which stores type identifiers and associated code separated by newlines, a capability originally added in MyBB 1.2.0 for plugin and internal use.

An authenticated administrator possessing the "Can manage settings?" permission can exploit the weakness to achieve remote code execution by supplying arbitrary PHP in a crafted setting. Because the code runs in the context of the administrative interface, the attacker can read or modify application data, alter configuration, or pivot further into the underlying server.

The MyBB project addressed the vulnerability in version 1.8.30 via a commit that restores proper type validation. Public advisories, including the GitHub Security Advisory and the 1.8.30 release notes, state there are no known workarounds and recommend immediate upgrade for any installation still running 1.8.29 or earlier.

Public exploit code for the issue has been posted on Packet Storm, and the CVE maintains a high EPSS score with a recorded peak of 0.9468, indicating sustained exploitation interest after disclosure.

EU & UK References

Vulnerability details

MyBB is a free and open source forum software. In affected versions the Admin CP's Settings management module does not validate setting types correctly on insertion and update, making it possible to add settings of supported type `php` with PHP…

more

code, executed on on _Change Settings_ pages. This results in a Remote Code Execution (RCE) vulnerability. The vulnerable module requires Admin CP access with the `Can manage settings?` permission. MyBB's Settings module, which allows administrators to add, edit, and delete non-default settings, stores setting data in an options code string ($options_code; mybb_settings.optionscode database column) that identifies the setting type and its options, separated by a new line character (\n). In MyBB 1.2.0, support for setting type php was added, for which the remaining part of the options code is PHP code executed on Change Settings pages (reserved for plugins and internal use). MyBB 1.8.30 resolves this issue. There are no known workarounds.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

mybb
mybb
1.2.0 — 1.8.30

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-94

Makes persistent code injection into loaded programs impossible when the executable image itself resides on hardware-protected read-only media.

addresses: CWE-94

Dynamically generated code can be produced and executed inside the isolated chamber, preventing host compromise from code-injection payloads.

addresses: CWE-94

Validates inputs used in dynamic code generation to block injected directives.

addresses: CWE-94

Directly prevents execution of attacker-supplied code written into data memory regions.

References