CVE-2024-23335 - Vulnerability Details - OpenCVE

MyBB is a free and open source forum software. The backup management module of the Admin CP may accept `.htaccess` as the name of the backup file to be deleted, which may expose the stored backup files over HTTP on Apache servers. MyBB 1.8.38 resolves this issue. Users are advised to upgrade. There are no known workarounds for this vulnerability

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Mybb	Mybb

Configuration 1 [-]

cpe:2.3:a:mybb:mybb:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/mybb/mybb/commit/450259e501b94c9d483efb167cb2bf875605e111.patch
https://github.com/mybb/mybb/security/advisories/GHSA-94xr-g4ww-j47r
https://mybb.com/versions/1.8.38

History

Mon, 30 Jun 2025 15:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Mybb Mybb mybb
Weaknesses		NVD-CWE-noinfo
CPEs		cpe:2.3:a:mybb:mybb::::::::
Vendors & Products		Mybb Mybb mybb

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-05-01T06:27:42.162Z

Updated: 2024-08-01T22:59:32.211Z

Reserved: 2024-01-15T15:19:19.443Z

Link: CVE-2024-23335

Vulnrichment

Updated: 2024-08-01T22:59:32.211Z

NVD

Status : Analyzed

Published: 2024-05-01T07:15:38.240

Modified: 2025-06-30T15:03:32.623

Link: CVE-2024-23335

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-23335", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-01-15T15:19:19.443Z", "datePublished": "2024-05-01T06:27:42.162Z", "dateUpdated": "2024-08-01T22:59:32.211Z"}, "containers": {"cna": {"title": "Backups directory .htaccess deletion in. MyBB", "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "lang": "en", "description": "CWE-20: Improper Input Validation", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/mybb/mybb/security/advisories/GHSA-94xr-g4ww-j47r", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/mybb/mybb/security/advisories/GHSA-94xr-g4ww-j47r"}, {"name": "https://github.com/mybb/mybb/commit/450259e501b94c9d483efb167cb2bf875605e111.patch", "tags": ["x_refsource_MISC"], "url": "https://github.com/mybb/mybb/commit/450259e501b94c9d483efb167cb2bf875605e111.patch"}, {"name": "https://mybb.com/versions/1.8.38", "tags": ["x_refsource_MISC"], "url": "https://mybb.com/versions/1.8.38"}], "affected": [{"vendor": "mybb", "product": "mybb", "versions": [{"version": "< 1.8.38", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-05-01T06:27:42.162Z"}, "descriptions": [{"lang": "en", "value": "MyBB is a free and open source forum software. The backup management module of the Admin CP may accept `.htaccess` as the name of the backup file to be deleted, which may expose the stored backup files over HTTP on Apache servers. MyBB 1.8.38 resolves this issue. Users are advised to upgrade. There are no known workarounds for this vulnerability"}], "source": {"advisory": "GHSA-94xr-g4ww-j47r", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-23335", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-07-03T14:28:16.476681Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-05T17:22:58.738Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T22:59:32.211Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/mybb/mybb/security/advisories/GHSA-94xr-g4ww-j47r", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/mybb/mybb/security/advisories/GHSA-94xr-g4ww-j47r"}, {"name": "https://github.com/mybb/mybb/commit/450259e501b94c9d483efb167cb2bf875605e111.patch", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/mybb/mybb/commit/450259e501b94c9d483efb167cb2bf875605e111.patch"}, {"name": "https://mybb.com/versions/1.8.38", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://mybb.com/versions/1.8.38"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/mybb/mybb/security/advisories/GHSA-94xr-g4ww-j47r", "name": "https://github.com/mybb/mybb/security/advisories/GHSA-94xr-g4ww-j47r", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/mybb/mybb/commit/450259e501b94c9d483efb167cb2bf875605e111.patch", "name": "https://github.com/mybb/mybb/commit/450259e501b94c9d483efb167cb2bf875605e111.patch", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://mybb.com/versions/1.8.38", "name": "https://mybb.com/versions/1.8.38", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T22:59:32.211Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-23335", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-07-03T14:28:16.476681Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-05T15:20:44.631Z"}}], "cna": {"title": "Backups directory .htaccess deletion in. MyBB", "source": {"advisory": "GHSA-94xr-g4ww-j47r", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.7, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "mybb", "product": "mybb", "versions": [{"status": "affected", "version": "< 1.8.38"}]}], "references": [{"url": "https://github.com/mybb/mybb/security/advisories/GHSA-94xr-g4ww-j47r", "name": "https://github.com/mybb/mybb/security/advisories/GHSA-94xr-g4ww-j47r", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/mybb/mybb/commit/450259e501b94c9d483efb167cb2bf875605e111.patch", "name": "https://github.com/mybb/mybb/commit/450259e501b94c9d483efb167cb2bf875605e111.patch", "tags": ["x_refsource_MISC"]}, {"url": "https://mybb.com/versions/1.8.38", "name": "https://mybb.com/versions/1.8.38", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "MyBB is a free and open source forum software. The backup management module of the Admin CP may accept `.htaccess` as the name of the backup file to be deleted, which may expose the stored backup files over HTTP on Apache servers. MyBB 1.8.38 resolves this issue. Users are advised to upgrade. There are no known workarounds for this vulnerability"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "CWE-20: Improper Input Validation"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-05-01T06:27:42.162Z"}}}, "cveMetadata": {"cveId": "CVE-2024-23335", "state": "PUBLISHED", "dateUpdated": "2024-08-01T22:59:32.211Z", "dateReserved": "2024-01-15T15:19:19.443Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-05-01T06:27:42.162Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mybb:mybb:*:*:*:*:*:*:*:*", "matchCriteriaId": "5AA2C895-E246-429E-A8DA-DE9A52BDEEC9", "versionEndExcluding": "1.8.38", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "MyBB is a free and open source forum software. The backup management module of the Admin CP may accept `.htaccess` as the name of the backup file to be deleted, which may expose the stored backup files over HTTP on Apache servers. MyBB 1.8.38 resolves this issue. Users are advised to upgrade. There are no known workarounds for this vulnerability"}, {"lang": "es", "value": "MyBB es un software de foro gratuito y de c\u00f3digo abierto. El m\u00f3dulo de gesti\u00f3n de copias de seguridad del Admin CP puede aceptar `.htaccess` como nombre del archivo de copia de seguridad que se eliminar\u00e1, lo que puede exponer los archivos de copia de seguridad almacenados a trav\u00e9s de HTTP en servidores Apache. MyBB 1.8.38 resuelve este problema. Se recomienda a los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad"}], "id": "CVE-2024-23335", "lastModified": "2025-06-30T15:03:32.623", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 3.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-05-01T07:15:38.240", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/mybb/mybb/commit/450259e501b94c9d483efb167cb2bf875605e111.patch"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/mybb/mybb/security/advisories/GHSA-94xr-g4ww-j47r"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://mybb.com/versions/1.8.38"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/mybb/mybb/commit/450259e501b94c9d483efb167cb2bf875605e111.patch"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://github.com/mybb/mybb/security/advisories/GHSA-94xr-g4ww-j47r"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Product", "Release Notes"], "url": "https://mybb.com/versions/1.8.38"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}