Impact
The parsing of messages containing URLs within values of MyCode (BBCode) tags may cause unexpected nesting and output malformed HTML that may be exploited, resulting in an XSS vulnerability.
The vulnerability can be exploited with minimal user interaction by saving a maliciously crafted MyCode message on the server (e.g. as a post or Private Message) and pointing a victim to a page where the content is parsed.
The impact may be reduced when:
- MyCode is disabled for individual forums, Private Messages, user profile signatures, and calendars, or
- guest users are not allowed to submit messages where MyCode is supported, or posting access is otherwise limited or controlled.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Patches
MyBB 1.8.26 resolves this issue with the following changes:
References
For more information
Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
Contact
The security team can be reached at security@mybb.com.
Impact
The parsing of messages containing URLs within values of MyCode (BBCode) tags may cause unexpected nesting and output malformed HTML that may be exploited, resulting in an XSS vulnerability.
The vulnerability can be exploited with minimal user interaction by saving a maliciously crafted MyCode message on the server (e.g. as a post or Private Message) and pointing a victim to a page where the content is parsed.
The impact may be reduced when:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Patches
MyBB 1.8.26 resolves this issue with the following changes:
.patch: https://github.com/mybb/mybb/commit/86894e1e6837f7687ecf6d9e572a626fc2d5d4fc.patchReferences
For more information
Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
Contact
The security team can be reached at security@mybb.com.