Impact
Custom MyCode (BBCode) for the visual editor doesn't escape input properly when rendering HTML, resulting in a DOM-based XSS vulnerability.
The weakness can be exploited by pointing a victim to a page where the visual editor is active (e.g. as a post or Private Message) and operates on a maliciously crafted MyCode message. This may occur on pages where message content is pre-filled using a GET/POST parameter, or on reply pages where a previously saved malicious message is quoted.
The impact is be reduced when:
- the visual editor is disabled globally (Admin CP → Configuration → Settings → Clickable Smilies and BB Code: Clickable MyCode Editor is set to Off), or
- the visual editor is disabled for individual user accounts (User CP → Your Profile → Edit Options: Show the MyCode formatting options on the posting pages checkbox is not checked).
CWE-79
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Overview
MyBB adds and overwrites formatting functions for the included SCEditor WYSIWYG editor to support MyCode, a custom flavor of BBCode message formatting.
The code responsible for transforming [align], [size], [quote], and [font] MyCode to HTML for visual preview does not consistently use functions to convert special characters to HTML entities, resulting in a DOM-based Cross-site Scripting vulnerability responsive to externally-supplied payload passed in HTTP request parameters or stored on the server.
The server-side parser (postParser class) is not affected.
Patches
MyBB 1.8.24 resolves this issue with the following changes:
After upgrading MyBB to 1.8.24, make sure to update the version attribute in the codebuttons template for non-default themes to serve the latest version of the patched jscripts/bbcodes_sceditor.js file.
Workarounds
To reduce impact without upgrading MyBB, change the following setting (Admin CP → Configuration → Settings):
Similarly, individual MyBB forum users are able to disable the visual editor by diabling the account option (User CP → Your Profile → Edit Options) Show the MyCode formatting options on the posting pages.
References
For more information
Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
Contact
The security team can be reached at security@mybb.com.
Impact
Custom MyCode (BBCode) for the visual editor doesn't escape input properly when rendering HTML, resulting in a DOM-based XSS vulnerability.
The weakness can be exploited by pointing a victim to a page where the visual editor is active (e.g. as a post or Private Message) and operates on a maliciously crafted MyCode message. This may occur on pages where message content is pre-filled using a GET/POST parameter, or on reply pages where a previously saved malicious message is quoted.
The impact is be reduced when:
CWE-79
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Overview
MyBB adds and overwrites formatting functions for the included SCEditor WYSIWYG editor to support MyCode, a custom flavor of BBCode message formatting.
The code responsible for transforming
[align],[size],[quote], and[font]MyCode to HTML for visual preview does not consistently use functions to convert special characters to HTML entities, resulting in a DOM-based Cross-site Scripting vulnerability responsive to externally-supplied payload passed in HTTP request parameters or stored on the server.The server-side parser (
postParserclass) is not affected.Patches
MyBB 1.8.24 resolves this issue with the following changes:
.patch: https://github.com/mybb/mybb/commit/37ad29dcd25489a37bdd89ebac761f22492558b0.patchAfter upgrading MyBB to 1.8.24, make sure to update the version attribute in the
codebuttonstemplate for non-default themes to serve the latest version of the patchedjscripts/bbcodes_sceditor.jsfile.Workarounds
To reduce impact without upgrading MyBB, change the following setting (Admin CP → Configuration → Settings):
Similarly, individual MyBB forum users are able to disable the visual editor by diabling the account option (User CP → Your Profile → Edit Options) Show the MyCode formatting options on the posting pages.
References
For more information
Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
Contact
The security team can be reached at security@mybb.com.