fkie_cve-2025-48941
Vulnerability from fkie_nvd
Published
2025-06-02 16:15
Modified
2025-07-02 15:14
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Summary
MyBB is free and open source forum software. Prior to version 1.8.39, the search component does not validate permissions correctly, which allows attackers to determine the existence of hidden (draft, unapproved, or soft-deleted) threads containing specified text in the title. The visibility state (`mybb_threads.visible` integer column) of threads is not validated in internal search queries, whose result is used to output a general success or failure of the search. While MyBB validates permissions when displaying the final search results, a search operation that internally produces at least one result outputs a redirect response (as a HTTP redirect, or a success message page with delayed redirect, depending on configuration). On the other hand, a search operation that internally produces no results outputs a corresponding message in the response without a redirect. This allows a user to determine whether threads matching title search parameters exist, including draft threads (`visible` with a value of `-2`), soft-deleted threads (`visible` with a value of `-1`), and unapproved threads (`visible` with a value of `0`); in addition to displaying generally visible threads (`visible` with a value of `1`). This vulnerability does not affect other layers of permissions. In order to exploit the vulnerability, the user must have access to the search functionality, and general access to forums containing the thread(s). The vulnerability does not expose the message content of posts. MyBB 1.8.39 resolves this issue.
References
security-advisories@github.comhttps://github.com/mybb/mybb/commit/b8cc332a27e145c33effaccec90e23c103ae5193Patch
security-advisories@github.comhttps://github.com/mybb/mybb/security/advisories/GHSA-f847-57xc-ffwrVendor Advisory
security-advisories@github.comhttps://mybb.com/versions/1.8.39Product, Release Notes
Impacted products
Vendor Product Version
mybb mybb *


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:mybb:mybb:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "C6445406-D542-43F3-97A5-BB4BDC20E2FA",
              "versionEndExcluding": "1.8.39",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "MyBB is free and open source forum software. Prior to version 1.8.39, the search component does not validate permissions correctly, which allows attackers to determine the existence of hidden (draft, unapproved, or soft-deleted) threads containing specified text in the title. The visibility state (`mybb_threads.visible` integer column) of threads is not validated in internal search queries, whose result is used to output a general success or failure of the search. While MyBB validates permissions when displaying the final search results, a search operation that internally produces at least one result outputs a redirect response (as a HTTP redirect, or a success message page with delayed redirect, depending on configuration). On the other hand, a search operation that internally produces no results outputs a corresponding message in the response without a redirect. This allows a user to determine whether threads matching title search parameters exist, including draft threads (`visible` with a value of `-2`), soft-deleted threads (`visible` with a value of `-1`), and unapproved threads (`visible` with a value of `0`); in addition to displaying generally visible threads (`visible` with a value of `1`). This vulnerability does not affect other layers of permissions. In order to exploit the vulnerability, the user must have access to the search functionality, and general access to forums containing the thread(s). The vulnerability does not expose the message content of posts. MyBB 1.8.39 resolves this issue."
    },
    {
      "lang": "es",
      "value": "MyBB es un software de foro gratuito y de c\u00f3digo abierto. Antes de la versi\u00f3n 1.8.39, el componente de b\u00fasqueda no validaba correctamente los permisos, lo que permit\u00eda a los atacantes determinar la existencia de hilos ocultos (borradores, no aprobados o eliminados temporalmente) que conten\u00edan el texto especificado en el t\u00edtulo. El estado de visibilidad (columna entera `mybb_threads.visible`) de los hilos no se valida en las consultas de b\u00fasqueda internas, cuyo resultado se utiliza para indicar si la b\u00fasqueda se ha realizado correctamente o no. Si bien MyBB valida los permisos al mostrar los resultados finales de la b\u00fasqueda, una operaci\u00f3n de b\u00fasqueda que produce internamente al menos un resultado genera una respuesta de redirecci\u00f3n (como una redirecci\u00f3n HTTP o una p\u00e1gina de mensaje de \u00e9xito con redirecci\u00f3n retrasada, seg\u00fan la configuraci\u00f3n). Por otro lado, una operaci\u00f3n de b\u00fasqueda que no produce resultados internamente genera un mensaje correspondiente en la respuesta sin redirecci\u00f3n. Esto permite al usuario determinar si existen hilos que coinciden con los par\u00e1metros de b\u00fasqueda de t\u00edtulo, incluyendo borradores (visibles con un valor de -2), hilos eliminados temporalmente (visibles con un valor de -1) e hilos no aprobados (visibles con un valor de 0); adem\u00e1s de mostrar hilos visibles (visibles con un valor de 1). Esta vulnerabilidad no afecta a otras capas de permisos. Para explotarla, el usuario debe tener acceso a la funci\u00f3n de b\u00fasqueda y acceso general a los foros que contienen los hilos. La vulnerabilidad no expone el contenido de los mensajes. MyBB 1.8.39 soluciona este problema."
    }
  ],
  "id": "CVE-2025-48941",
  "lastModified": "2025-07-02T15:14:30.267",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 1.4,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-06-02T16:15:30.223",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/mybb/mybb/commit/b8cc332a27e145c33effaccec90e23c103ae5193"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/mybb/mybb/security/advisories/GHSA-f847-57xc-ffwr"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Product",
        "Release Notes"
      ],
      "url": "https://mybb.com/versions/1.8.39"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-1230"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.