Headline
CVE-2023-46251: Fix Visual editor size code persistent XSS · mybb/mybb@6dcaf0b
MyBB is a free and open source forum software. Custom MyCode (BBCode) for the visual editor (SCEditor) doesn’t escape input properly when rendering HTML, resulting in a DOM-based XSS vulnerability. This weakness can be exploited by pointing a victim to a page where the visual editor is active (e.g. as a post or Private Message) and operates on a maliciously crafted MyCode message. This may occur on pages where message content is pre-filled using a GET/POST parameter, or on reply pages where a previously saved malicious message is quoted. The impact is be mitigated when: 1. the visual editor is disabled globally (Admin CP ? Configuration ? Settings ? Clickable Smilies and BB Code: Clickable MyCode Editor is set to Off), or 2. the visual editor is disabled for individual user accounts (User CP ? Your Profile ? Edit Options: Show the MyCode formatting options on the posting pages checkbox is not checked). MyBB 1.8.37 resolves this issue with the commit 6dcaf0b4d. Users are advised to upgrade. Users unable to upgrade may mitigate the impact without upgrading MyBB by changing the following setting (Admin CP ? Configuration ? Settings):
- Clickable Smilies and BB Code ? Clickable MyCode Editor: Off. Similarly, individual MyBB forum users are able to disable the visual editor by diabling the account option (User CP ? Your Profile ? Edit Options) Show the MyCode formatting options on the posting pages.
@@ -1,5 +1,5 @@ <?xml version="1.0" encoding="UTF-8"?> <theme name="MyBB Master Style" version="1834"> <theme name="MyBB Master Style" version="1837"> <properties> <templateset><![CDATA[1]]></templateset> <imgdir><![CDATA[images]]></imgdir> Expand Down Expand Up @@ -14159,9 +14159,9 @@ if(use_xmlhttprequest == “1”) <td class="trow1" width="20%"><strong>{$lang->username}</strong></td> <td class="trow1">{$mybb->user[‘username’]} <span class="smalltext">[<strong><a href="member.php?action=logout&logoutkey={$mybb->user[‘logoutkey’]}">{$lang->change_user}</a></strong>]</span></td> </tr>]]></template> <template name="codebuttons" version="1832"><![CDATA[<link rel="stylesheet" href="{$mybb->asset_url}/jscripts/sceditor/themes/{$theme[‘editortheme’]}" type="text/css" media="all" /> <template name="codebuttons" version="1837"><![CDATA[<link rel="stylesheet" href="{$mybb->asset_url}/jscripts/sceditor/themes/{$theme[‘editortheme’]}" type="text/css" media="all" /> <script type="text/javascript" src="{$mybb->asset_url}/jscripts/sceditor/jquery.sceditor.bbcode.min.js?ver=1832"></script> <script type="text/javascript" src="{$mybb->asset_url}/jscripts/bbcodes_sceditor.js?ver=1832"></script> <script type="text/javascript" src="{$mybb->asset_url}/jscripts/bbcodes_sceditor.js?ver=1837"></script> <script type="text/javascript" src="{$mybb->asset_url}/jscripts/sceditor/plugins/undo.js?ver=1832"></script> <script type="text/javascript"> var partialmode = {$mybb->settings[‘partialmode’]}, Expand Down