Impact
Multiple cross-site scripting (XSS) vulnerabilities in the post Attachments interface allow attackers to inject HTML by persuading the user to upload a file with specially crafted name.
The impact may be reduced when:
- the attachment feature is disabled (Admin CP → Configuration → Settings → Attachments: Enable Attachment Functionality setting is set to No), or
- the Can post attachments? permission is disabled for individual usergroups in individual forums.
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Details
Following the upload of a file as an attachment to a post, the name of the file may be added dynamically to the DOM in an unsafe manner.
Patches
MyBB 1.8.32 resolves this issue with the following changes:
Workarounds
To reduce impact without upgrading MyBB, change the following setting (Admin CP → Configuration → Settings):
References
For more information
Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
Contact
The security team can be reached at security@mybb.com.
Impact
Multiple cross-site scripting (XSS) vulnerabilities in the post Attachments interface allow attackers to inject HTML by persuading the user to upload a file with specially crafted name.
The impact may be reduced when:
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Details
Following the upload of a file as an attachment to a post, the name of the file may be added dynamically to the DOM in an unsafe manner.
CVE-2022-43708.1 — Reflected XSS (Type 1)
The file name, included in the server response constructed at:
https://github.com/mybb/mybb/blob/mybb_1831/inc/functions_upload.php#L826
is not escaped correctly, resulting in a reflected XSS vulnerability.
CVE-2022-43708.2 — DOM-Based XSS (Type 0)
The file name, included in HTML code containing a list of conflicting filenames, constructed client-side at:
https://github.com/mybb/mybb/blob/mybb_1831/jscripts/post.js#L218
is not escaped correctly, resulting in a DOM-based XSS vulnerability.
Patches
MyBB 1.8.32 resolves this issue with the following changes:
.patch
: https://github.com/mybb/mybb/commit/c3c474a5b70f9fb4bb368b5b58c623b1c9e2fc16.patchWorkarounds
To reduce impact without upgrading MyBB, change the following setting (Admin CP → Configuration → Settings):
References
For more information
Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
Contact
The security team can be reached at security@mybb.com.