Login Sign Up

CVE-2023-32670

9.0 CRITICAL
Cross-Site Scripting

📋 TL;DR

This is a Cross-Site Scripting (XSS) vulnerability in BuddyBoss platform version 2.2.9 that allows authenticated users with basic privileges to inject malicious JavaScript payloads through image file name parameters. The payload becomes persistent and executes when the associated image loads, potentially affecting all users who view the compromised content.

💻 Affected Systems

Products:
  • BuddyBoss Platform
Versions: 2.2.9
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects BuddyBoss installations with user registration enabled where attackers can create basic accounts.

📦 What is this software?

Buddyboss by Buddyboss

View all CVEs affecting Buddyboss →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, perform account takeovers, redirect users to malicious sites, or deploy malware through the compromised BuddyBoss instance.

🟠

Likely Case

Attackers with basic user accounts inject malicious scripts that steal session tokens or credentials from other users when they view affected images.

🟢

If Mitigated

With proper input validation and output encoding, the payload would be neutralized before execution, preventing any impact.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Requires authenticated access with basic user privileges. Exploitation is straightforward once an account is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.2.10 or later

Vendor Advisory: https://www.buddyboss.com/resources/buddyboss-platform-changelog/

Restart Required: No

Instructions:

1. Backup your WordPress database and files. 2. Update BuddyBoss Platform plugin to version 2.2.10 or later via WordPress admin dashboard. 3. Verify the update completed successfully.

🔧 Temporary Workarounds

Input Validation Filter

all

Add custom input validation to sanitize image file names before processing

Add custom PHP filter function to validate image file names contains only alphanumeric characters, hyphens, underscores, and periods

🧯 If You Can't Patch

  • Restrict user registration to prevent attackers from obtaining basic accounts
  • Implement Content Security Policy (CSP) headers to restrict script execution

🔍 How to Verify

Check if Vulnerable:

Check BuddyBoss Platform version in WordPress admin dashboard under Plugins section

Check Version:

wp plugin list --name=buddyboss-platform --field=version (if WP-CLI installed)

Verify Fix Applied:

Confirm version is 2.2.10 or higher and test image upload functionality with malicious payload attempts

📡 Detection & Monitoring

Log Indicators:

  • Unusual image uploads with JavaScript payloads in filenames
  • Multiple failed login attempts followed by successful login and image upload

Network Indicators:

  • HTTP requests with JavaScript in image filename parameters
  • Outbound connections to suspicious domains after image views

SIEM Query:

source="web_logs" AND (url="*[name]=*.jpg*" OR url="*javascript:*")

📊 Metadata

CVE ID: CVE-2023-32670
CVSS v3 Score: 9.0 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
CWE: CWE-79
Published: October 3, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-32670, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)