CVE-2015-8977 Mybb CVE debrief

Who should care

Administrators and hosting teams running public-facing MyBB or MyBB Merge System installations, especially those still on versions older than the fixed releases or exposing error logs through the web server.

Technical summary

The NVD description states that remote attackers could obtain the installation path through vectors involving error log files. NVD classifies the weakness as CWE-532 (Insertion of Sensitive Information into Log File) and lists vulnerable ranges including MyBB up to 1.6.17, MyBB 1.8.0 through 1.8.5, and MyBB Merge System up to 1.8.5. The reference set includes vendor release notes and third-party advisories supporting the disclosure.

Defensive priority

High — externally reachable information disclosure with no authentication or user interaction required.

Recommended defensive actions

• Upgrade MyBB to 1.6.18 or 1.8.6, and MyBB Merge System to 1.8.6 or later.
• Verify that error log files are not web-accessible and are stored outside the document root where possible.
• Review exposed logs for unintended path disclosure and remove or restrict any publicly reachable copies.
• Confirm the deployment still serves only sanitized error output after the upgrade.

Evidence notes

This debrief is based on the NVD record, which describes remote path disclosure via error log files and provides the CVSS vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. The supplied NVD data also lists affected versions and maps the issue to CWE-532. Vendor release notes dated 2015-09-07 identify the fixed versions (MyBB 1.6.18, MyBB 1.8.6, Merge System 1.8.6). The supplied corpus does not indicate KEV inclusion or known ransomware use.

Official resources