First published: Mon Nov 06 2023(Updated: )
MyBB is a free and open source forum software. Custom MyCode (BBCode) for the visual editor (_SCEditor_) doesn't escape input properly when rendering HTML, resulting in a DOM-based XSS vulnerability. This weakness can be exploited by pointing a victim to a page where the visual editor is active (e.g. as a post or Private Message) and operates on a maliciously crafted MyCode message. This may occur on pages where message content is pre-filled using a GET/POST parameter, or on reply pages where a previously saved malicious message is quoted. The impact is be mitigated when: 1. the visual editor is disabled globally (_Admin CP → Configuration → Settings → Clickable Smilies and BB Code: [Clickable MyCode Editor](https://github.com/mybb/mybb/blob/mybb_1836/install/resources/settings.xml#L2087-L2094)_ is set to _Off_), or 2. the visual editor is disabled for individual user accounts (_User CP → Your Profile → Edit Options_: _Show the MyCode formatting options on the posting pages_ checkbox is not checked). MyBB 1.8.37 resolves this issue with the commit `6dcaf0b4d`. Users are advised to upgrade. Users unable to upgrade may mitigate the impact without upgrading MyBB by changing the following setting (_Admin CP → Configuration → Settings_): - _Clickable Smilies and BB Code → [Clickable MyCode Editor](https://github.com/mybb/mybb/blob/mybb_1836/install/resources/settings.xml#L2087-L2094)_: _Off_. Similarly, individual MyBB forum users are able to disable the visual editor by diabling the account option (_User CP → Your Profile → Edit Options_) _Show the MyCode formatting options on the posting pages_.
Credit: security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
<1.8.37 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID for this MyBB vulnerability is CVE-2023-46251.
The title of this vulnerability is Visual editor persistent Cross-site Scripting (XSS) in MyBB.
The affected software version of this vulnerability is MyBB 1.8.37.
The severity rating of this vulnerability is high (7.5).
This vulnerability can be exploited by pointing a victim to a page where the visual editor is active and injecting malicious code.
To fix this vulnerability, update MyBB to version 1.8.37 or a higher version.
You can find more information about this vulnerability at the following references: [GitHub Advisory](https://github.com/mybb/mybb/security/advisories/GHSA-wj33-q7vj-9fr8) and [MyBB Versions](https://mybb.com/versions/1.8.37/).