CVE-2020-15139
HIGHMyBB < 1.8.24 - DOM-based Cross-Site Scripting via Custom MyCode in Visual Editor
Title source: llmDescription
In MyBB before version 1.8.24, the custom MyCode (BBCode) for the visual editor doesn't escape input properly when rendering HTML, resulting in a DOM-based XSS vulnerability. The weakness can be exploited by pointing a victim to a page where the visual editor is active (e.g. as a post or Private Message) and operates on a maliciously crafted MyCode message. This may occur on pages where message content is pre-filled using a GET/POST parameter, or on reply pages where a previously saved malicious message is quoted. After upgrading MyBB to 1.8.24, make sure to update the version attribute in the `codebuttons` template for non-default themes to serve the latest version of the patched `jscripts/bbcodes_sceditor.js` file.
References (3)
Core 3
Core References
Patch, Third Party Advisory x_refsource_confirm
https://github.com/mybb/mybb/security/advisories/GHSA-37h7-vfv6-f8rj
Patch, Third Party Advisory x_refsource_misc
https://github.com/mybb/mybb/commit/37ad29dcd25489a37bdd89ebac761f22492558b0
Patch, Vendor Advisory x_refsource_misc
https://mybb.com/versions/1.8.24/
Scores
CVSS v3
8.8
EPSS
0.0132
EPSS Percentile
67.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Details
CWE
CWE-79
Status
published
Products (1)
mybb/mybb
< 1.8.24
Published
Aug 10, 2020
Tracked Since
Feb 18, 2026