cbcvebase.
CVE-2021-27890
published 2021-03-15

CVE-2021-27890: SQL Injection vulnerablity in MyBB before 1.8.26 via theme properties included in theme XML files.

PriorityP264high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
10.59%
95.2th percentile
SQL Injection vulnerablity in MyBB before 1.8.26 via theme properties included in theme XML files.

Affected

1 ranges
VendorProductVersion rangeFixed in
mybbmybb< 1.8.261.8.26

Detection & IOCsextracted from sources · hover to see the quote

url/admin/index.php?module=style-themes&action=set_default&tid=<tid>&my_post_key=<token>
url/admin/index.php?module=style-themes
filenamepayload
version1821
  • Detect the nested autourl XSS vector in MyBB posts/PMs: look for BBCode [img] tags containing a closing parenthesis followed by a second URL with an onerror= attribute containing eval(String.fromCharCode(...))
  • Monitor ACP HTTP requests for theme set_default actions (module=style-themes&action=set_default) immediately following a theme import, which is the final trigger step for RCE via eval() of poisoned template cache
  • Detect outbound reverse shell connections on port 5554 from the web server process (e.g., apache/nginx/php-fpm) spawning /bin/sh, indicative of successful RCE exploitation
  • The exploit chain requires the target administrator to have a valid ACP session; correlate XSS delivery (via PM or post) with subsequent ACP-authenticated requests to style-themes endpoints as a chained attack indicator
  • ·The exploit is a chained attack requiring three conditions: (1) a valid admin ACP session, (2) the XSS stage successfully executing in the admin's browser, and (3) the SQL injection stage completing theme import — all three must succeed for RCE
  • ·The XSS payload uses document.write() to load a second-stage .js file from an attacker-controlled external server, described as a way to 'bypass' SOP; the external JS URL must be live for the exploit to proceed
  • ·The SQL injection is second-order (stored), triggered during theme XML import in the ACP; the malicious payload is embedded in theme XML properties and only fires when the theme is set as default and the cache is reloaded
  • ·RCE is achieved via PHP eval() executing a template containing ${passthru(base64_decode(...))} — this requires the server to be running PHP with eval() enabled on template rendering and passthru() not disabled in php.ini

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.