CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS
Percentile
20.6%
MyBB is a free and open source forum software. Custom MyCode (BBCode) for the visual editor (SCEditor) doesn’t escape input properly when rendering HTML, resulting in a DOM-based XSS vulnerability. This weakness can be exploited by pointing a victim to a page where the visual editor is active (e.g. as a post or Private Message) and operates on a maliciously crafted MyCode message. This may occur on pages where message content is pre-filled using a GET/POST parameter, or on reply pages where a previously saved malicious message is quoted. The impact is be mitigated when: 1. the visual editor is disabled globally (Admin CP → Configuration → Settings → Clickable Smilies and BB Code: Clickable MyCode Editor is set to Off), or 2. the visual editor is disabled for individual user accounts (User CP → Your Profile → Edit Options: Show the MyCode formatting options on the posting pages checkbox is not checked). MyBB 1.8.37 resolves this issue with the commit 6dcaf0b4d
. Users are advised to upgrade. Users unable to upgrade may mitigate the impact without upgrading MyBB by changing the following setting (Admin CP → Configuration → Settings):- Clickable Smilies and BB Code → Clickable MyCode Editor: Off. Similarly, individual MyBB forum users are able to disable the visual editor by diabling the account option (User CP → Your Profile → Edit Options) Show the MyCode formatting options on the posting pages.