CVE-2023-53976

myBB Forums 1.8.26 Stored Cross-Site Scripting via Template Management

CVSS 5.1 MEDIUMEPSS 0.2%CWE-79

In short

myBB Forums 1.8.26 has a vulnerability in its template management system that allows administrators to accidentally or maliciously insert harmful scripts into template titles. When other users view these templates, the scripts execute in their browsers, potentially stealing information or taking actions on their behalf.

Technical detail

Stored XSS vulnerability in myBB 1.8.26 template management system exploitable by authenticated administrators via the template title field in the Global Templates interface. Injected payloads persist in the database and execute in the context of users viewing the affected templates, requiring no user interaction beyond accessing the template management area.

Summary generated and translated by AI from the official description.

myBB Forums 1.8.26 contains a stored cross-site scripting vulnerability in the template management system that allows authenticated administrators to inject malicious scripts when creating new templates. Attackers can exploit this vulnerability by inserting script payloads in the template title field when adding new templates through the 'Templates and Style' > 'Templates' > 'Manage Templates' > 'Global Templates' interface, causing arbitrary JavaScript to execute when the template is viewed.

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Affected products

Mybb · myBB forums

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://mybb.com/https://www.cve.org/CVERecord?id=CVE-2021-41866 https://www.exploit-db.com/exploits/51136 https://www.vulncheck.com/advisories/mybb-forums-stored-cross-site-scripting-via-template-management