CVE-2024-23336 – This CVE describes a Server-Side Request Forger... (How to Fix)

Q: What is the severity of CVE-2024-23336?

CVE-2024-23336 has a CVSS score of 5.0 (MEDIUM). This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in MyBB forum software where the default disallowed remote hosts list doesn't include the complete 127.0.0.0/8 block, allowing attackers to potentially bypass localhost restrictions. This affects MyBB installations with default configurations, potentially enabling attackers to access internal services. Administrators of MyBB forums are affected and should update their configurations.

📋 TL;DR

This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in MyBB forum software where the default disallowed remote hosts list doesn't include the complete 127.0.0.0/8 block, allowing attackers to potentially bypass localhost restrictions. This affects MyBB installations with default configurations, potentially enabling attackers to access internal services. Administrators of MyBB forums are affected and should update their configurations.

💻 Affected Systems

Products:

MyBB

Versions: Versions before 1.8.38

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects installations using default configuration. Custom configurations that already include 127.0.0.0/8 are not vulnerable.

📦 What is this software?

Mybb by Mybb

View all CVEs affecting Mybb →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could bypass localhost restrictions to access internal services, potentially leading to data exfiltration, internal network reconnaissance, or chaining with other vulnerabilities to achieve remote code execution.

🟠

Likely Case

Attackers could access internal services running on localhost addresses other than 127.0.0.1, potentially exposing administrative interfaces, databases, or other internal resources.

🟢

If Mitigated

With proper configuration including the full 127.0.0.0/8 block, SSRF attempts to localhost addresses would be blocked, preventing internal service access.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires finding SSRF vectors in MyBB functionality, then using localhost addresses other than 127.0.0.1 to bypass restrictions.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.8.38

Vendor Advisory: https://github.com/mybb/mybb/security/advisories/GHSA-qfrj-65mv-h75h

Restart Required: No

Instructions:

1. Upgrade to MyBB 1.8.38 or later. 2. For existing installations, manually edit inc/config.php to add '127.0.0.0/8' to $config['disallowed_remote_addresses'] array. 3. Verify configuration includes all internal IP addresses that resolve to the server.

🔧 Temporary Workarounds

Manual Configuration Update

all

Add 127.0.0.0/8 to disallowed remote addresses configuration

Edit inc/config.php and add '127.0.0.0/8' to the $config['disallowed_remote_addresses'] array

🧯 If You Can't Patch

Manually add '127.0.0.0/8' to $config['disallowed_remote_addresses'] in inc/config.php
Add other internal IP addresses that resolve to the server to the disallowed list
Implement network-level restrictions to block outbound requests from the MyBB server to internal resources

🔍 How to Verify

Check if Vulnerable:

Check inc/config.php for $config['disallowed_remote_addresses'] array. If it doesn't contain '127.0.0.0/8' or equivalent CIDR notation, the system is vulnerable.

Check Version:

Check MyBB Admin CP → Version & Update section or examine inc/version.php

Verify Fix Applied:

Verify inc/config.php contains '127.0.0.0/8' in $config['disallowed_remote_addresses'] array and MyBB version is 1.8.38 or later.

📡 Detection & Monitoring

Log Indicators:

Unusual outbound HTTP requests from MyBB server to localhost addresses
Failed SSRF attempts in web server logs
Requests to internal IP addresses from MyBB application

Network Indicators:

Outbound HTTP requests from MyBB server to 127.x.x.x addresses
Internal service access originating from MyBB server

SIEM Query:

source="mybb_logs" AND (dest_ip=127.* OR dest_ip="localhost") AND action="blocked" OR source="web_server" AND uri CONTAINS "127." AND status=4xx

📊 Metadata

CVE ID: CVE-2024-23336

CVSS v3 Score: 5.0 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-184

Published: May 1, 2024

Last Updated: June 30, 2025

🔗 References

https://docs.mybb.com/1.8/administration/configuration-file Product
https://github.com/mybb/mybb/commit/d6a96019025de9149014e06b1df252e6122e5630 Patch
https://github.com/mybb/mybb/security/advisories/GHSA-qfrj-65mv-h75h Vendor Advisory
https://mybb.com/versions/1.8.38 Product,Release Notes
https://docs.mybb.com/1.8/administration/configuration-file Product
https://github.com/mybb/mybb/commit/d6a96019025de9149014e06b1df252e6122e5630 Patch
https://github.com/mybb/mybb/security/advisories/GHSA-qfrj-65mv-h75h Vendor Advisory
https://mybb.com/versions/1.8.38 Product,Release Notes

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-23336, you might also want to check these: