CVE-2021-27946
published 2021-03-15CVE-2021-27946: SQL Injection vulnerability in MyBB before 1.8.26 via poll vote count. (issue 1 of 3).
PriorityP260high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
4.20%
89.7th percentile
SQL Injection vulnerability in MyBB before 1.8.26 via poll vote count. (issue 1 of 3).
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mybb | mybb | < 1.8.26 | 1.8.26 |
Detection & IOCsextracted from sources · hover to see the quote
command1','2',ascii((substring((SELECT password FROM mybb_users WHERE username="sivertpl"), 2, 1))),'0','0','1','1') -- -a↗
- →Monitor POST requests to the 'Edit Poll' endpoint for the `votes[]` parameter containing SQL metacharacters, particularly single quotes, comment sequences (`-- -`), or SQL functions such as `ascii(`, `substring(`, `SELECT` within the vote count field. ↗
- →Alert on SQL errors surfacing in HTTP responses during Move/Copy thread operations on MyBB forums, as a malformed payload will produce a visible SQL error at that step. ↗
- →Watch for anomalous integer values in the poll 'total vote count' field after a Move/Copy operation; exfiltrated data is encoded as ASCII integer values (covert channel) extracted one character at a time. ↗
- →Detect chained exploitation attempts combining CVE-2021-27946 with CVE-2021-27889 (XSS): an external JavaScript file may automate the injection and exfiltrate resulting password hashes to an attacker-controlled server. ↗
- →On PostgreSQL or MS-SQL backends, watch for stacked query patterns (semicolon-delimited statements) in the `votes[]` parameter, as these databases allow full command execution including UPDATE of admin credentials. ↗
- ·Exploitability depends on whether the attacker has poll-edit permissions. In default configurations only moderators and administrators can edit polls, but some forum configurations grant this to regular users, widening the attack surface. ↗
- ·The patch for this vulnerability is available in the MyBB GitHub commit aa415f08bce01f95a8319b707bb18eb67833f4c1. Installations running MyBB < 1.8.26 are vulnerable. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No advisories linked to this vulnerability.
No detection rules found.
No writeups or analysis indexed.
2021-03-15
Published