Strix
26.1K

CVE-2024-23336

MEDIUMCVSS 5/10EPSS 0.46%

Last modified

CVE-2024-23336 is a medium-severity vulnerability rated 5/10 on the CVSS scale. MyBB is a free and open source forum software. The default list of disallowed remote hosts does not contain the `127.0.0.0/8` block, which may result in a Server-Side Request Forgery (SSRF) vulnerability. EPSS estimates a 0.46% chance of exploitation in the next 30 days.

Description

MyBB is a free and open source forum software. The default list of disallowed remote hosts does not contain the `127.0.0.0/8` block, which may result in a Server-Side Request Forgery (SSRF) vulnerability. The Configuration File's _Disallowed Remote Addresses_ list (`$config['disallowed_remote_addresses']`) contains the address `127.0.0.1`, but does not include the complete block `127.0.0.0/8`. MyBB 1.8.38 resolves this issue in default installations. Administrators of installed boards should update the existing configuration (`inc/config.php`) to include all addresses blocked by default. Additionally, users are advised to verify that it includes any other IPv4 addresses resolving to the server and other internal resources. Users unable to upgrade may manually add 127.0.0.0/8' to their disallowed address list.

Metrics

CVSS 3.1
5/10

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L

EPSS Probability
0.46%

36.3th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
MybbMybb< 1.8.38

References

Timeline

Published
Last Modified
Status
Analyzed

Frequently Asked Questions

What is CVE-2024-23336?
MyBB is a free and open source forum software. The default list of disallowed remote hosts does not contain the `127.0.0.0/8` block, which may result in a Server-Side Request Forgery (SSRF) vulnerability. The Configuration File's _Disallowed Remote Addresses_ list (`$config['disallowed_remote_addresses']`) contains the address `127.0.0.1`, but does not include the complete block `127.0.0.0/8`. MyBB 1.8.38 resolves this issue in default installations. Administrators of installed boards should update the existing configuration (`inc/config.php`) to include all addresses blocked by default. Additionally, users are advised to verify that it includes any other IPv4 addresses resolving to the server and other internal resources. Users unable to upgrade may manually add 127.0.0.0/8' to their disallowed address list.
How severe is CVE-2024-23336?
CVE-2024-23336 has a CVSS score of 5/10 (MEDIUM severity). The EPSS model estimates a 0.46% probability of exploitation in the next 30 days.
How do I fix CVE-2024-23336?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2024-23336?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST