Impact
Custom MyCode (BBCode) for the visual editor (SCEditor) doesn't escape input properly when rendering HTML, resulting in a DOM-based XSS vulnerability.
The weakness can be exploited by pointing a victim to a page where the visual editor is active (e.g. as a post or Private Message) and operates on a maliciously crafted MyCode message. This may occur on pages where message content is pre-filled using a GET/POST parameter, or on reply pages where a previously saved malicious message is quoted.
The impact is be reduced when:
- the visual editor is disabled globally (Admin CP → Configuration → Settings → Clickable Smilies and BB Code: Clickable MyCode Editor is set to Off), or
- the visual editor is disabled for individual user accounts (User CP → Your Profile → Edit Options: Show the MyCode formatting options on the posting pages checkbox is not checked).
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Patches
MyBB 1.8.37 resolves this issue with the following changes:
Workarounds
To reduce impact without upgrading MyBB, change the following setting (Admin CP → Configuration → Settings):
Similarly, individual MyBB forum users are able to disable the visual editor by diabling the account option (User CP → Your Profile → Edit Options) Show the MyCode formatting options on the posting pages.
References
For more information
Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
Contact
The security team can be reached at security@mybb.com.
Impact
Custom MyCode (BBCode) for the visual editor (SCEditor) doesn't escape input properly when rendering HTML, resulting in a DOM-based XSS vulnerability.
The weakness can be exploited by pointing a victim to a page where the visual editor is active (e.g. as a post or Private Message) and operates on a maliciously crafted MyCode message. This may occur on pages where message content is pre-filled using a GET/POST parameter, or on reply pages where a previously saved malicious message is quoted.
The impact is be reduced when:
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Patches
MyBB 1.8.37 resolves this issue with the following changes:
.patch: https://github.com/mybb/mybb/commit/6dcaf0b4db6254f1833fe8dae295d9ddc2219276.patchWorkarounds
To reduce impact without upgrading MyBB, change the following setting (Admin CP → Configuration → Settings):
Similarly, individual MyBB forum users are able to disable the visual editor by diabling the account option (User CP → Your Profile → Edit Options) Show the MyCode formatting options on the posting pages.
References
For more information
Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
Contact
The security team can be reached at security@mybb.com.