CVE-2025-29458

An issue in MyBB 1.8.38 allows a remote attacker to obtain sensitive information via the Change Avatar function. NOTE: the Supplier disputes this because of the allowed actions of Board administrators and because of SSRF mitigation.

CVSS

No CVSS.

References

Link	Resource
https://docs.mybb.com/1.8/administration/security/protection/#limit-access-to-private-hosts-and-ip-addresses	Mitigation Product
https://www.yuque.com/morysummer/vx41bz/qu7zyyxr84qno64e	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:mybb:mybb:1.8.38:*:*:*:*:*:*:*

History

24 Apr 2025, 14:14

Type	Values Removed	Values Added
CPE		cpe:2.3:a:mybb:mybb:1.8.38:::::::*
References	~~() https://docs.mybb.com/1.8/administration/security/protection/#limit-access-to-private-hosts-and-ip-addresses -~~	() https://docs.mybb.com/1.8/administration/security/protection/#limit-access-to-private-hosts-and-ip-addresses - Mitigation, Product
References	~~() https://www.yuque.com/morysummer/vx41bz/qu7zyyxr84qno64e -~~	() https://www.yuque.com/morysummer/vx41bz/qu7zyyxr84qno64e - Exploit, Third Party Advisory
First Time		Mybb Mybb mybb

23 Apr 2025, 13:15

Type	Values Removed	Values Added
Summary	~~An issue in MyBB 1.8.38 allows a remote attacker to obtain sensitive information via the Change Avatar function.~~	An issue in MyBB 1.8.38 allows a remote attacker to obtain sensitive information via the Change Avatar function. NOTE: the Supplier disputes this because of the allowed actions of Board administrators and because of SSRF mitigation.
References		() https://docs.mybb.com/1.8/administration/security/protection/#limit-access-to-private-hosts-and-ip-addresses -

17 Apr 2025, 22:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-04-17 22:15

Updated : 2025-04-24 14:14

NVD link : CVE-2025-29458

Mitre link : CVE-2025-29458

JSON object : View

Products Affected

mybb

mybb

CWE

No CWE.

JSON object

Attach tags to CVE-2025-29458

Attach tags to `CVE-2025-29458`