cbcvebase.
CVE-2021-27946
published 2021-03-15

CVE-2021-27946: SQL Injection vulnerability in MyBB before 1.8.26 via poll vote count. (issue 1 of 3).

PriorityP260high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
4.20%
89.7th percentile
SQL Injection vulnerability in MyBB before 1.8.26 via poll vote count. (issue 1 of 3).

Affected

1 ranges
VendorProductVersion rangeFixed in
mybbmybb< 1.8.261.8.26

Detection & IOCsextracted from sources · hover to see the quote

command1','2',ascii((select version())),'0','0','1','1') -- -a
command1','2',ascii((substring((SELECT password FROM mybb_users WHERE username="sivertpl"), 2, 1))),'0','0','1','1') -- -a
urlhttps://resources.mybb.com/downloads/mybb_1825.zip
  • Monitor POST requests to the 'Edit Poll' endpoint for the `votes[]` parameter containing SQL metacharacters, particularly single quotes, comment sequences (`-- -`), or SQL functions such as `ascii(`, `substring(`, `SELECT` within the vote count field.
  • Alert on SQL errors surfacing in HTTP responses during Move/Copy thread operations on MyBB forums, as a malformed payload will produce a visible SQL error at that step.
  • Watch for anomalous integer values in the poll 'total vote count' field after a Move/Copy operation; exfiltrated data is encoded as ASCII integer values (covert channel) extracted one character at a time.
  • Detect chained exploitation attempts combining CVE-2021-27946 with CVE-2021-27889 (XSS): an external JavaScript file may automate the injection and exfiltrate resulting password hashes to an attacker-controlled server.
  • On PostgreSQL or MS-SQL backends, watch for stacked query patterns (semicolon-delimited statements) in the `votes[]` parameter, as these databases allow full command execution including UPDATE of admin credentials.
  • ·Exploitability depends on whether the attacker has poll-edit permissions. In default configurations only moderators and administrators can edit polls, but some forum configurations grant this to regular users, widening the attack surface.
  • ·The patch for this vulnerability is available in the MyBB GitHub commit aa415f08bce01f95a8319b707bb18eb67833f4c1. Installations running MyBB < 1.8.26 are vulnerable.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.