Visual editor persistent Cross-site Scripting (XSS) in MyBB
CVE-2023-46251

7.5HIGH

Key Information:

Vendor: Mybb
Status: Mybb
Vendor: CVE Published:; 6 November 2023

What is CVE-2023-46251?

MyBB forum software is susceptible to a DOM-based cross-site scripting (XSS) vulnerability stemming from inadequate input escaping for custom MyCode (BBCode) in the visual editor (SCEditor). This flaw allows attackers to exploit the vulnerability by crafting malicious MyCode messages, which when rendered in a post or a Private Message, can execute arbitrary JavaScript in the context of the victim. The risk is heightened on pages where message content is dynamically populated through GET/POST parameters or on reply pages that reference previously saved messages. To mitigate this vulnerability, it is recommended to disable the visual editor globally in the admin settings or for individual users within their profile settings. Users are strongly encouraged to upgrade to MyBB version 1.8.37, which includes the necessary fixes to address this security issue.

Affected Version(s)

mybb < 1.8.37

References

https://github.com/mybb/mybb/security/advisories/GHSA-wj3...

x_refsource_CONFIRM

https://github.com/mybb/mybb/commit/6dcaf0b4db6254f1833fe...

x_refsource_MISC

https://mybb.com/versions/1.8.37/

x_refsource_MISC

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 6, 2023
Vulnerability Reserved
Oct 19, 2023

Mybb

What is CVE-2023-46251?

Affected Version(s)

References

CVSS V3.1

Timeline