Vulnerability Details : CVE-2016-9417
The fetch_remote_file function in MyBB (aka MyBulletinBoard) before 1.8.8 and MyBB Merge System before 1.8.8 allows remote attackers to conduct server-side request forgery (SSRF) attacks via unspecified vectors.
Vulnerability category: Server-side request forgery (SSRF)
Exploit prediction scoring system (EPSS) score for CVE-2016-9417
Probability of exploitation activity in the next 30 days: 0.22%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 59 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2016-9417
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
|---|---|---|---|---|---|
|
5.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:N |
8.6
|
4.9
|
NIST |
|
7.4
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N |
2.8
|
4.0
|
NIST |
CWE ids for CVE-2016-9417
-
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.Assigned by: nvd@nist.gov (Primary)
References for CVE-2016-9417
-
http://www.openwall.com/lists/oss-security/2016/11/10/8
oss-security - CVE request: MyBB multiple vulnerabilitiesMailing List;Patch;Third Party Advisory
-
http://www.securityfocus.com/bid/94396
MyBB Versions Prior To 1.8.8 Multiple Security VulnerabilitiesThird Party Advisory;VDB Entry
-
https://blog.mybb.com/2016/10/17/mybb-1-8-8-merge-system-1-8-8-release/
MyBB 1.8.8 & Merge System 1.8.8 Release | MyBB BlogRelease Notes;Patch;Vendor Advisory
-
http://www.openwall.com/lists/oss-security/2016/11/18/1
oss-security - Re: CVE request: MyBB multiple vulnerabilitiesMailing List;Patch;Third Party Advisory
Products affected by CVE-2016-9417
- cpe:2.3:a:mybb:mybb:*:*:*:*:*:*:*:*
- cpe:2.3:a:mybb:merge_system:*:*:*:*:*:*:*:*