CVE-2023-53977

myBB Forums 1.8.26 Stored Cross-Site Scripting via Forum Management

CVSS 5.1 MEDIUMEPSS 0.2%CWE-79

In short

myBB Forums 1.8.26 has a vulnerability where administrators can accidentally (or maliciously) insert harmful scripts into forum names through the admin panel. When other users view the forum list, these scripts run in their browsers, potentially stealing data or performing unwanted actions.

Technical detail

Stored XSS vulnerability in the forum management interface (CWE-79) affecting myBB 1.8.26. Authenticated administrators can inject malicious JavaScript via the forum title field in the 'Forums and Posts' > 'Forum Management' section. The payload persists in the database and executes in the context of users viewing forum listings, bypassing input sanitization on the backend.

Summary generated and translated by AI from the official description.

myBB Forums 1.8.26 contains a stored cross-site scripting vulnerability in the forum management system that allows authenticated administrators to inject malicious scripts when creating new forums. Attackers can exploit this vulnerability by inserting script payloads in the forum title field when adding new forums through the 'Forums and Posts' > 'Forum Management' interface, causing arbitrary JavaScript to execute when the forum listing is viewed.

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Affected products

Mybb · myBB forums

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://mybb.com/https://www.exploit-db.com/exploits/51136 https://www.vulncheck.com/advisories/mybb-forums-stored-cross-site-scripting-via-forum-management