CVE-2020-15139 Information

Description

In MyBB before version 1.8.24 the custom MyCode (BBCode) for the visual editor doesn’t escape input properly when rendering HTML resulting in a DOM-based XSS vulnerability. The weakness can be exploited by pointing a victim to a page where the visual editor is active (e.g. as a post or Private Message) and operates on a maliciously crafted MyCode message. This may occur on pages where message content is pre-filled using a GET/POST parameter or on reply pages where a previously saved malicious message is quoted. After upgrading MyBB to 1.8.24 make sure to update the version attribute in the codebuttons template for non-default themes to serve the latest version of the patched jscripts/bbcodes_sceditor.js file.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Reference

https://github.com/mybb/mybb/commit/37ad29dcd25489a37bdd89ebac761f22492558b0 https://github.com/mybb/mybb/security/advisories/GHSA-37h7-vfv6-f8rj https://mybb.com/versions/1.8.24/

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

REQUIRED

Confidentiality Impact

CHANGED

Integrity Impact

LOW

Availability Impact

LOW

Base Score

NONE

Base Severity

6.1