Login Sign Up

CVE-2021-27890

8.8 HIGH
Remote Code Execution SQL Injection

📋 TL;DR

CVE-2021-27890 is a SQL injection vulnerability in MyBB forum software that allows attackers to execute arbitrary SQL commands via malicious theme XML files. This can lead to remote code execution by chaining with other vulnerabilities. All MyBB installations before version 1.8.26 are affected.

💻 Affected Systems

Products:
  • MyBB
Versions: All versions before 1.8.26
Operating Systems: All platforms running MyBB
Default Config Vulnerable: ⚠️ Yes
Notes: Requires ability to upload or modify theme XML files, which may be available to administrators or through other vulnerabilities.

📦 What is this software?

Mybb by Mybb

View all CVEs affecting Mybb →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, and attacker persistence on the server.

🟠

Likely Case

Database compromise allowing data exfiltration, privilege escalation, and potential RCE through chained exploits.

🟢

If Mitigated

Limited impact with proper input validation and database permissions, potentially only affecting non-critical data.

🌐 Internet-Facing: HIGH - MyBB forums are typically internet-facing, making them directly accessible to attackers.
🏢 Internal Only: MEDIUM - Internal instances could still be exploited by malicious insiders or through compromised accounts.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation typically requires administrative access or chaining with other vulnerabilities. Public exploit code and detailed analysis available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.8.26

Vendor Advisory: https://github.com/mybb/mybb/security/advisories/GHSA-r34m-ccm8-mfhq

Restart Required: No

Instructions:

1. Backup your MyBB installation and database. 2. Download MyBB 1.8.26 or later from the official website. 3. Replace all files with the new version (except config files). 4. Run the upgrade script if upgrading from older versions.

🔧 Temporary Workarounds

Restrict theme file uploads

all

Prevent upload or modification of theme XML files by non-administrative users

Input validation for theme properties

all

Implement additional validation for theme property values in XML files

🧯 If You Can't Patch

  • Implement strict file upload controls and review all existing theme XML files for malicious content
  • Apply web application firewall rules to detect and block SQL injection attempts

🔍 How to Verify

Check if Vulnerable:

Check MyBB version in Admin Control Panel or by examining inc/version.php file

Check Version:

grep "'version'" inc/version.php | head -1

Verify Fix Applied:

Confirm version is 1.8.26 or later and test theme XML file upload functionality

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL queries in database logs
  • Theme XML file uploads or modifications
  • Administrative actions from unexpected IPs

Network Indicators:

  • SQL injection patterns in HTTP requests
  • Unusual database connection patterns

SIEM Query:

source="web_logs" AND ("theme.xml" OR "property=") AND (sql OR union OR select)

📊 Metadata

CVE ID: CVE-2021-27890
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-89
Published: March 15, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-27890, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)