CVE-2023-53978

myBB Forums 1.8.26 Stored Cross-Site Scripting via Forum Announcements

CVSS 5.1 MEDIUMEPSS 0.2%CWE-79

In short

myBB Forums 1.8.26 has a vulnerability where administrators can accidentally (or maliciously) inject harmful scripts into forum announcements. When other users view these announcements, the hidden scripts run in their browsers, potentially stealing information or taking unwanted actions.

Technical detail

Stored XSS in the forum announcement system allows authenticated administrators to inject malicious JavaScript via the announcement title field in the 'Forums and Posts' > 'Forum Announcements' interface. The injected payload persists in the database and executes in the browsers of all users viewing the announcement, enabling credential theft, session hijacking, or defacement without requiring victim interaction.

Summary generated and translated by AI from the official description.

myBB Forums 1.8.26 contains a stored cross-site scripting vulnerability in the forum announcement system that allows authenticated administrators to inject malicious scripts when creating announcements. Attackers can exploit this vulnerability by inserting script payloads in the announcement title field when adding announcements through the 'Forums and Posts' > 'Forum Announcements' interface, causing arbitrary JavaScript to execute when the announcement is displayed on the forum.

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Affected products

Mybb · myBB forums

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://mybb.com/https://www.exploit-db.com/exploits/51136 https://www.vulncheck.com/advisories/mybb-forums-stored-cross-site-scripting-via-forum-announcements