Impact
The displayed Template Name value in the Admin CP's theme management is not escaped properly, resulting in a stored XSS vulnerability.
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H
Patches
MyBB 1.8.28 resolves this issue with the following changes:
References
For more information
Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
Contact
The security team can be reached at security@mybb.com.
Impact
The displayed Template Name value in the Admin CP's theme management is not escaped properly, resulting in a stored XSS vulnerability.
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H
Patches
MyBB 1.8.28 resolves this issue with the following changes:
.patch: https://github.com/mybb/mybb/commit/0d60d98b6199c77c940f227ca4f2455896557a53.patchReferences
For more information
Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.
Contact
The security team can be reached at security@mybb.com.