CSRF Vulnerability in JN-Jones MyBB-2FA Plugin Allows Unauthorized Deactivation of Two-Factor Authentication

CSRF Vulnerability in JN-Jones MyBB-2FA Plugin Allows Unauthorized Deactivation of Two-Factor Authentication

CVE-2019-12363 · MEDIUM Severity

AV:N/AC:M/AU:N/C:P/I:P/A:P

An CSRF issue was discovered in the JN-Jones MyBB-2FA plugin through 2014-11-05 for MyBB. An attacker can forge a request to an installed mybb2fa plugin to control its state via usercp.php?action=mybb2fa&do=deactivate (or usercp.php?action=mybb2fa&do=activate). A deactivate operation lowers the security of the targeted account by disabling two factor authentication.

Learn more about our User Device Pen Test.