CVE-2018-11092 - OpenCVE

An issue was discovered in the Admin Notes plugin 1.1 for MyBB. CSRF allows an attacker to remotely delete all admin notes via an admin/index.php?empty=table (aka Clear Table) action.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:M/Au:N/C:N/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Admin Notes Project	Admin Notes

Configuration 1 [-]

cpe:2.3:a:admin_notes_project:admin_notes:1.1:*:*:*:*:mybb:*:*

No data.

References

Link	Providers
https://community.mybb.com/mods.php?action=changelog&pid=1106
https://github.com/vintagedaddyo/MyBB_Plugin-adminnotes/commit/3deae701cdd89753cb6688302aee5b93a72bc58b?diff=split
https://www.exploit-db.com/exploits/44624/

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2018-05-21T14:00:00

Updated: 2024-08-05T07:54:36.571Z

Reserved: 2018-05-14T00:00:00

Link: CVE-2018-11092

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2018-05-21T14:29:00.217

Modified: 2018-06-25T15:05:08.173

Link: CVE-2018-11092

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2018-05-16T00:00:00", "descriptions": [{"lang": "en", "value": "An issue was discovered in the Admin Notes plugin 1.1 for MyBB. CSRF allows an attacker to remotely delete all admin notes via an admin/index.php?empty=table (aka Clear Table) action."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-05-21T13:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://community.mybb.com/mods.php?action=changelog&pid=1106"}, {"name": "44624", "tags": ["exploit", "x_refsource_EXPLOIT-DB"], "url": "https://www.exploit-db.com/exploits/44624/"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/vintagedaddyo/MyBB_Plugin-adminnotes/commit/3deae701cdd89753cb6688302aee5b93a72bc58b?diff=split"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2018-11092", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An issue was discovered in the Admin Notes plugin 1.1 for MyBB. CSRF allows an attacker to remotely delete all admin notes via an admin/index.php?empty=table (aka Clear Table) action."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://community.mybb.com/mods.php?action=changelog&pid=1106", "refsource": "CONFIRM", "url": "https://community.mybb.com/mods.php?action=changelog&pid=1106"}, {"name": "44624", "refsource": "EXPLOIT-DB", "url": "https://www.exploit-db.com/exploits/44624/"}, {"name": "https://github.com/vintagedaddyo/MyBB_Plugin-adminnotes/commit/3deae701cdd89753cb6688302aee5b93a72bc58b?diff=split", "refsource": "CONFIRM", "url": "https://github.com/vintagedaddyo/MyBB_Plugin-adminnotes/commit/3deae701cdd89753cb6688302aee5b93a72bc58b?diff=split"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T07:54:36.571Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://community.mybb.com/mods.php?action=changelog&pid=1106"}, {"name": "44624", "tags": ["exploit", "x_refsource_EXPLOIT-DB", "x_transferred"], "url": "https://www.exploit-db.com/exploits/44624/"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/vintagedaddyo/MyBB_Plugin-adminnotes/commit/3deae701cdd89753cb6688302aee5b93a72bc58b?diff=split"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2018-11092", "datePublished": "2018-05-21T14:00:00", "dateReserved": "2018-05-14T00:00:00", "dateUpdated": "2024-08-05T07:54:36.571Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:admin_notes_project:admin_notes:1.1:*:*:*:*:mybb:*:*", "matchCriteriaId": "F90393AE-CC12-4A5A-9E85-A90426D0E8F3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in the Admin Notes plugin 1.1 for MyBB. CSRF allows an attacker to remotely delete all admin notes via an admin/index.php?empty=table (aka Clear Table) action."}, {"lang": "es", "value": "Se ha descubierto un problema en el plugin Admin Notes 1.1 para MyBB. Cross-Site Request Forgery (CSRF) permite que un atacante elimine de forma remota todas las notas de administrador mediante una acci\u00f3n admin/index.php?empty=table, tambi\u00e9n conocida como \"Clear Table\"."}], "id": "CVE-2018-11092", "lastModified": "2018-06-25T15:05:08.173", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.8, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-05-21T14:29:00.217", "references": [{"source": "cve@mitre.org", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://community.mybb.com/mods.php?action=changelog&pid=1106"}, {"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/vintagedaddyo/MyBB_Plugin-adminnotes/commit/3deae701cdd89753cb6688302aee5b93a72bc58b?diff=split"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "url": "https://www.exploit-db.com/exploits/44624/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "nvd@nist.gov", "type": "Primary"}]}