Impact
The parsing of messages containing unexpectedly nested [email]
MyCode (BBCode) tags may result in malformed HTML output, leading to an XSS vulnerability.
The vulnerability can be exploited with minimal user interaction by pointing a victim to page where a maliciously crafted MyCode message is rendered. This may occur when:
- a new message form with instant preview is pre-filled through a POST or GET parameter, or
- a message previously saved on the server (e.g. as a post or Private Message) is displayed.
The impact may be reduced when:
- the
[email]
MyCode is disabled (Admin CP → Configuration → Settings → Clickable Smilies and BB Code: Allow Email MyCode setting is set to Off), or
- MyCode is disabled for individual forums, Private Messages, user profile signatures, and calendars, or
- guest users are not allowed to submit messages where MyCode is supported, or posting access is otherwise limited or controlled.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Overview
The HTML output of the [email]
MyCode may include opening [
and closing ]
square brackets in the value of the href=""
attribute of the <a>
tag.
This may result in unexpected, further parsing of MyCode and insertion of output in the parameter value with unescaped, colliding quotation marks "
, leading to an XSS vulnerability.
Patches
MyBB 1.8.25 resolves this issue with the following changes:
Workarounds
To reduce impact without upgrading MyBB, change the following setting (Admin CP → Configuration → Settings):
References
For more information
Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
Contact
The security team can be reached at security@mybb.com.
Impact
The parsing of messages containing unexpectedly nested
[email]
MyCode (BBCode) tags may result in malformed HTML output, leading to an XSS vulnerability.The vulnerability can be exploited with minimal user interaction by pointing a victim to page where a maliciously crafted MyCode message is rendered. This may occur when:
The impact may be reduced when:
[email]
MyCode is disabled (Admin CP → Configuration → Settings → Clickable Smilies and BB Code: Allow Email MyCode setting is set to Off), orCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Overview
The HTML output of the
[email]
MyCode may include opening[
and closing]
square brackets in the value of thehref=""
attribute of the<a>
tag.This may result in unexpected, further parsing of MyCode and insertion of output in the parameter value with unescaped, colliding quotation marks
"
, leading to an XSS vulnerability.Patches
MyBB 1.8.25 resolves this issue with the following changes:
.patch
: https://github.com/mybb/mybb/commit/cb781b49116bf5c4d8deca3e17498122b701677a.patchWorkarounds
To reduce impact without upgrading MyBB, change the following setting (Admin CP → Configuration → Settings):
References
For more information
Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
Contact
The security team can be reached at security@mybb.com.