Impact
Cross-site scripting (XSS) vulnerability in the visual MyCode editor (SCEditor) allows remote attackers to inject HTML via user input or stored data.
The impact may be reduced when:
- the Show the MyCode formatting options on the posting pages. option (User CP → Your Profile → Edit Options) is disabled for individual users, or
- the Put the editor in source mode by default. option (User CP → Your Profile → Edit Options) is enabled for individual users, and the editor is not switched to preview (WYSIWYG) mode.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Details
SCEditor 2.1.3, bundled with MyBB, does not parse the provided content correctly, producing malformed output that results in an XSS vulnerability.
Patches
MyBB 1.8.32 resolves this issue with the following changes:
Workarounds
To reduce impact without upgrading MyBB, change the following setting (Admin CP → Configuration → Settings):
References
For more information
Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
Contact
The security team can be reached at security@mybb.com.
Impact
Cross-site scripting (XSS) vulnerability in the visual MyCode editor (SCEditor) allows remote attackers to inject HTML via user input or stored data.
The impact may be reduced when:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Details
SCEditor 2.1.3, bundled with MyBB, does not parse the provided content correctly, producing malformed output that results in an XSS vulnerability.
Patches
MyBB 1.8.32 resolves this issue with the following changes:
Workarounds
To reduce impact without upgrading MyBB, change the following setting (Admin CP → Configuration → Settings):
References
For more information
Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
Contact
The security team can be reached at security@mybb.com.