CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
SSVC
Exploitation
none
Automatable
no
Technical Impact
total
MyBB is a free and open source forum software. Custom MyCode (BBCode) for the visual editor (SCEditor) doesn’t escape input properly when rendering HTML, resulting in a DOM-based XSS vulnerability. This weakness can be exploited by pointing a victim to a page where the visual editor is active (e.g. as a post or Private Message) and operates on a maliciously crafted MyCode message. This may occur on pages where message content is pre-filled using a GET/POST parameter, or on reply pages where a previously saved malicious message is quoted. The impact is be mitigated when: 1. the visual editor is disabled globally (Admin CP → Configuration → Settings → Clickable Smilies and BB Code: Clickable MyCode Editor is set to Off), or 2. the visual editor is disabled for individual user accounts (User CP → Your Profile → Edit Options: Show the MyCode formatting options on the posting pages checkbox is not checked). MyBB 1.8.37 resolves this issue with the commit 6dcaf0b4d
. Users are advised to upgrade. Users unable to upgrade may mitigate the impact without upgrading MyBB by changing the following setting (Admin CP → Configuration → Settings):
[
{
"cpes": [
"cpe:2.3:a:mybb:mybb:*:*:*:*:*:*:*:*"
],
"vendor": "mybb",
"product": "mybb",
"versions": [
{
"status": "affected",
"version": "0",
"lessThan": "1.8.37",
"versionType": "custom"
}
],
"defaultStatus": "unknown"
}
]
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
SSVC
Exploitation
none
Automatable
no
Technical Impact
total