[-] Product Description:
MyBB-2FA is an unmaintained MyBB plugin that allows MyBB admins to enable Two Factor Authentication in for their forums users.

[-] Vulnerability Type:
Cross Site Request Forgery

[-] Impact and more info:
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)

[-] Vulnerable Request Type:
GET based

[-] Vulnerable Module/Parameter/Path:
MyBB_Installation/usercp.php?action=mybb2fa&do=[ACTION]

[-] Proof of Concept URL:
MyBB_Installation/usercp.php?action=mybb2fa&do=deactivate
MyBB_Installation/usercp.php?action=mybb2fa&do=activate

[-] Fix Suggestion:
Implement an Anti-CSRF token to protect forging requests

[-] Product URL(s):
https://github.com/JN-Jones/MyBB-2FA
https://community.mybb.com/thread-162369.html

[-] Advisory:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12363

[-] Disclaimer:
This bug is subject to Seekurity SAS de C.V. responsible disclosure rules which is a 90-day-disclosure-deadline. After 90 days elapse or a patch has been made broadly available, the bug details will become visible to the public through our official communication channels.

A minute if you please!

Building a website, an application or any kind of business? Or already have one? Worried about your security? Think twice before going public and let us protect your business!

Advisory: Authentication extension Factor MyBB Two Vulnerabilities