CVE-2011-10018

myBB version 1.6.4 was distributed with an unauthorized backdoor embedded in the source code. The backdoor allowed remote attackers to execute arbitrary PHP code by injecting payloads into a specially crafted collapsed cookie. This vulnerability was introduced during packaging and was not part of the intended application logic. Exploitation requires no authentication and results in full compromise of the web server under the context of the web application.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://blog.mybb.com/2011/10/06/1-6-4-security-vulnerabilit/	Vendor Advisory
https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/mybb_backdoor.rb	Product
https://web.archive.org/web/20111015224948/http://secunia.com/advisories/46300/	Third Party Advisory
https://www.exploit-db.com/exploits/17949	Exploit
https://www.vulncheck.com/advisories/mybb-backdoor-arbitrary-command-execution	Third Party Advisory
https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/mybb_backdoor.rb	Product
https://www.exploit-db.com/exploits/17949	Exploit

Configurations

Configuration 1 (hide)

cpe:2.3:a:mybb:mybb:1.6.4:*:*:*:*:*:*:*

History

No history.

Information

Published : 2025-08-13 21:15

Updated : 2025-08-14 17:42

NVD link : CVE-2011-10018

Mitre link : CVE-2011-10018

CVE.ORG link : CVE-2011-10018

JSON object : View

Products Affected

mybb

mybb

CWE

CWE-94

Improper Control of Generation of Code ('Code Injection')

CWE-912

Hidden Functionality

{"id": "CVE-2011-10018", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 10.0, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-08-13T21:15:29.387", "references": [{"url": "https://blog.mybb.com/2011/10/06/1-6-4-security-vulnerabilit/", "tags": ["Vendor Advisory"], "source": "[email protected]"}, {"url": "https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/mybb_backdoor.rb", "tags": ["Product"], "source": "[email protected]"}, {"url": "https://web.archive.org/web/20111015224948/http://secunia.com/advisories/46300/", "tags": ["Third Party Advisory"], "source": "[email protected]"}, {"url": "https://www.exploit-db.com/exploits/17949", "tags": ["Exploit"], "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/mybb-backdoor-arbitrary-command-execution", "tags": ["Third Party Advisory"], "source": "[email protected]"}, {"url": "https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/mybb_backdoor.rb", "tags": ["Product"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}, {"url": "https://www.exploit-db.com/exploits/17949", "tags": ["Exploit"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-94"}, {"lang": "en", "value": "CWE-912"}]}], "descriptions": [{"lang": "en", "value": "myBB version 1.6.4 was distributed with an unauthorized backdoor embedded in the source code. The backdoor allowed remote attackers to execute arbitrary PHP code by injecting payloads into a specially crafted collapsed cookie. This vulnerability was introduced during packaging and was not part of the intended application logic. Exploitation requires no authentication and results in full compromise of the web server under the context of the web application."}, {"lang": "es", "value": "La versi\u00f3n 1.6.4 de myBB se distribuy\u00f3 con una puerta trasera no autorizada incrustada en el c\u00f3digo fuente. Esta puerta trasera permit\u00eda a atacantes remotos ejecutar c\u00f3digo PHP arbitrario inyectando payloads en una cookie colapsada especialmente manipulada. Esta vulnerabilidad se introdujo durante el empaquetado y no formaba parte de la l\u00f3gica de la aplicaci\u00f3n. Su explotaci\u00f3n no requiere autenticaci\u00f3n y compromete por completo el servidor web en el contexto de la aplicaci\u00f3n web."}], "lastModified": "2025-08-14T17:42:18.333", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:mybb:mybb:1.6.4:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FDFE35CB-05CC-4E6F-B188-1141773E7F10"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}