Login Sign Up

CVE-2023-46251

7.5 HIGH
Cross-Site Scripting

📋 TL;DR

This DOM-based XSS vulnerability in MyBB forum software allows attackers to execute malicious JavaScript in victims' browsers by tricking them into viewing specially crafted MyCode messages in the visual editor. It affects MyBB installations with the visual editor enabled, potentially compromising user accounts and session data. The vulnerability requires user interaction but can be exploited through malicious links or pre-filled content.

💻 Affected Systems

Products:
  • MyBB
Versions: All versions before 1.8.37
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects installations with the visual editor (Clickable MyCode Editor) enabled. Both global and per-user settings can enable this feature.

📦 What is this software?

Mybb by Mybb

View all CVEs affecting Mybb →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers can steal session cookies, perform actions as authenticated users, deface forums, or redirect users to malicious sites, potentially leading to full account compromise.

🟠

Likely Case

Session hijacking, account takeover, or defacement of forum content through injected scripts.

🟢

If Mitigated

No impact if visual editor is disabled or proper input sanitization is implemented.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires user interaction (clicking malicious link or viewing pre-filled content) and the visual editor to be active. Attackers need to craft malicious MyCode messages.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.8.37

Vendor Advisory: https://github.com/mybb/mybb/security/advisories/GHSA-wj33-q7vj-9fr8

Restart Required: No

Instructions:

1. Download MyBB 1.8.37 from mybb.com. 2. Backup your current installation. 3. Replace files with new version. 4. Run upgrade script if needed. 5. Verify visual editor still works as expected.

🔧 Temporary Workarounds

Disable Visual Editor Globally

all

Turn off the Clickable MyCode Editor in admin settings to prevent exploitation.

Disable Visual Editor Per User

all

Users can disable 'Show the MyCode formatting options on the posting pages' in their profile settings.

🧯 If You Can't Patch

  • Disable the visual editor globally in Admin CP → Configuration → Settings → Clickable Smilies and BB Code
  • Educate users to disable visual editor in User CP → Your Profile → Edit Options

🔍 How to Verify

Check if Vulnerable:

Check if MyBB version is below 1.8.37 and visual editor is enabled in settings.

Check Version:

Check inc/config.php for $config['version'] or view footer on admin pages

Verify Fix Applied:

Verify installation is version 1.8.37 or higher, and test that MyCode input is properly escaped in visual editor.

📡 Detection & Monitoring

Log Indicators:

  • Unusual MyCode patterns in posts/PMs
  • Multiple failed login attempts from same IP after suspicious posts

Network Indicators:

  • Requests containing malicious script patterns in GET/POST parameters

SIEM Query:

Search for patterns like '<script>' or 'javascript:' in forum post content or URL parameters

📊 Metadata

CVE ID: CVE-2023-46251
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-79
Published: November 6, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-46251, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)