CRITICAL🇵🇱 Wersja polska

CVE-2011-10018

CVSS 10.0v4.0pub. 2025-08-13upd. 2025-08-14

myBB version 1.6.4 was distributed with an unauthorized backdoor embedded in the source code. The backdoor allowed remote attackers to execute arbitrary PHP code by injecting payloads into a specially crafted collapsed cookie. This vulnerability was introduced during packaging and was not part of the intended application logic. Exploitation requires no authentication and results in full compromise of the web server under the context of the web application.

🤖 AI Analysis
How it works

The backdoor was introduced into the MyBB 1.6.4 distribution package during the packaging stage — it was not part of the original application logic. An attacker can execute arbitrary PHP code by injecting an appropriately prepared payload into a specially constructed cookie header named 'collapsed'. The exploit does not require authentication or any user interaction, and code execution occurs in the context of web application permissions on the server.

Impact

An attacker gains the ability to execute arbitrary PHP code on the server, resulting in complete takeover of the web server, including access to application data, database, and the possibility of further lateral movement in the infrastructure.

Mitigation & patch

MyBB should be immediately updated to a version higher than 1.6.4 or patches indicated by the vendor in the official security notice (blog.mybb.com) should be applied. All installations based on version 1.6.4 should be treated as fully compromised and a server security audit should be conducted.

Who is affected

MyBB version 1.6.4 — only this version was distributed with the embedded backdoor

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Mybb

    APP
    Mybb
    1.6.4
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2020-22612CRITICAL9.8ten sam produkt

Installer RCE on settings file write in MyBB before 1.8.22.

CVE-2017-16780CRITICAL9.8ten sam produkt

The installer in MyBB before 1.8.13 allows remote attackers to execute arbitrary code by writing to the config...

CVE-2016-9412CRITICAL9.8ten sam produkt

MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 allow attackers to have unspecified...

CVE-2015-8974CRITICAL10.0ten sam produkt

SQL injection vulnerability in the Group Promotions module in the admin control panel in MyBB (aka MyBulletinB...

CVE-2016-9402CRITICAL9.8ten sam produkt

SQL injection vulnerability in the moderation tool in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge S...