CVE-2025-29457

An issue in MyBB 1.8.38 allows a remote attacker to obtain sensitive information via the Import a Theme function. NOTE: the Supplier disputes this because of the allowed actions of Board administrators and because of SSRF mitigation.

CVSS

No CVSS.

References

Link	Resource
https://docs.mybb.com/1.8/administration/security/protection/#limit-access-to-private-hosts-and-ip-addresses	Mitigation Product
https://www.yuque.com/morysummer/vx41bz/vro4dvxzuiwlg6uv	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:mybb:mybb:1.8.38:*:*:*:*:*:*:*

History

24 Apr 2025, 14:13

Type	Values Removed	Values Added
References	~~() https://www.yuque.com/morysummer/vx41bz/vro4dvxzuiwlg6uv -~~	() https://www.yuque.com/morysummer/vx41bz/vro4dvxzuiwlg6uv - Exploit, Third Party Advisory
References	~~() https://docs.mybb.com/1.8/administration/security/protection/#limit-access-to-private-hosts-and-ip-addresses -~~	() https://docs.mybb.com/1.8/administration/security/protection/#limit-access-to-private-hosts-and-ip-addresses - Mitigation, Product
First Time		Mybb Mybb mybb
CPE		cpe:2.3:a:mybb:mybb:1.8.38:::::::*

23 Apr 2025, 13:15

Type	Values Removed	Values Added
References		() https://docs.mybb.com/1.8/administration/security/protection/#limit-access-to-private-hosts-and-ip-addresses -
Summary	~~An issue in MyBB 1.8.38 allows a remote attacker to obtain sensitive information via the Import a Theme function.~~	An issue in MyBB 1.8.38 allows a remote attacker to obtain sensitive information via the Import a Theme function. NOTE: the Supplier disputes this because of the allowed actions of Board administrators and because of SSRF mitigation.

17 Apr 2025, 22:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-04-17 22:15

Updated : 2025-04-24 14:13

NVD link : CVE-2025-29457

Mitre link : CVE-2025-29457

JSON object : View

Products Affected

mybb

mybb

CWE

No CWE.

JSON object

Attach tags to CVE-2025-29457

Attach tags to `CVE-2025-29457`