Skip to content

ACP Template Name XSS

Moderate
dvz published GHSA-gxhv-r3m5-6qv7 Oct 26, 2021

Package

MyBB (PHP)

Affected versions

< 1.8.28

Patched versions

1.8.28

Description

Impact

The displayed Template Name value in the Admin CP's theme management is not escaped properly, resulting in a stored XSS vulnerability.

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H

Patches

MyBB 1.8.28 resolves this issue with the following changes:

References

For more information

Go to mybb.com/security to report possible security concerns or to learn more about security research at MyBB.

Contact

The security team can be reached at security@mybb.com.

Severity

Moderate

CVE ID

CVE-2021-41866

Weaknesses