Impact

Multiple cross-site scripting (XSS) vulnerabilities in the post Attachments interface allow attackers to inject HTML by persuading the user to upload a file with specially crafted name.

The impact may be reduced when:

• the attachment feature is disabled (Admin CP → Configuration → Settings → Attachments: Enable Attachment Functionality setting is set to No), or
• the Can post attachments? permission is disabled for individual usergroups in individual forums.

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

Following the upload of a file as an attachment to a post, the name of the file may be added dynamically to the DOM in an unsafe manner.

• CVE-2022-43708.1 — Reflected XSS (Type 1)

  The file name, included in the server response constructed at:

  https://github.com/mybb/mybb/blob/mybb_1831/inc/functions_upload.php#L826

  is not escaped correctly, resulting in a reflected XSS vulnerability.

• CVE-2022-43708.2 — DOM-Based XSS (Type 0)

  The file name, included in HTML code containing a list of conflicting filenames, constructed client-side at:

  https://github.com/mybb/mybb/blob/mybb_1831/jscripts/post.js#L218

  is not escaped correctly, resulting in a DOM-based XSS vulnerability.

Patches

MyBB 1.8.32 resolves this issue with the following changes:

• Commit: c3c474a
  • .patch: https://github.com/mybb/mybb/commit/c3c474a5b70f9fb4bb368b5b58c623b1c9e2fc16.patch

Workarounds

To reduce impact without upgrading MyBB, change the following setting (Admin CP → Configuration → Settings):

• Attachments → Enable Attachment Functionality: No

References

• Release Notes: https://mybb.com/versions/1.8.32/

For more information

Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.

Contact

The security team can be reached at security@mybb.com.