CVE-2024-52702
📋 TL;DR
A stored cross-site scripting (XSS) vulnerability in MyBB v1.8.38 allows attackers to inject malicious scripts into the Website Name parameter during installation. This could enable session hijacking, defacement, or credential theft when users view affected pages. Only administrators can set this parameter, limiting the attack surface to compromised admin accounts or insider threats.
💻 Affected Systems
- MyBB
📦 What is this software?
Mybb by Mybb
⚠️ Risk & Real-World Impact
Worst Case
An attacker with admin access could inject persistent malicious scripts that steal session cookies, redirect users to phishing sites, or perform actions on behalf of authenticated users across the entire forum.
Likely Case
Limited impact since only administrators can set the vulnerable parameter. Most probable scenario is accidental script injection by an admin or targeted attack against a compromised admin account.
If Mitigated
If proper access controls are maintained and administrators are trusted, impact is minimal as only authorized users can modify the vulnerable field.
🎯 Exploit Status
Exploitation requires administrative access to set the Website Name parameter. The vulnerability is simple to exploit once admin credentials are obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not available
Vendor Advisory: https://github.com/mybb/mybb/issues/4859
Restart Required: No
Instructions:
No official patch available. The vendor disputes this as a vulnerability since administrators can intentionally use JavaScript in this field. Consider implementing input validation as a precaution.
🔧 Temporary Workarounds
Implement Input Validation
allAdd server-side validation to sanitize or reject JavaScript in the Website Name field
Modify install/index.php to sanitize the website_name parameter before storage
Content Security Policy
allImplement CSP headers to restrict script execution
Add Content-Security-Policy header to restrict script sources
🧯 If You Can't Patch
- Restrict administrative access to trusted personnel only
- Monitor admin account activity for unauthorized changes to configuration
🔍 How to Verify
Check if Vulnerable:
Check if running MyBB v1.8.38 and review install/index.php for lack of input sanitization on website_name parameterCheck Version:
Check MyBB Admin CP → Version & Update section or examine inc/version.phpVerify Fix Applied:
Verify that Website Name field properly sanitizes or escapes HTML/JavaScript input📡 Detection & Monitoring
Log Indicators:
- Unusual modifications to configuration settings
- Admin account logins from unexpected locations
Network Indicators:
- Unexpected JavaScript payloads in configuration requests
SIEM Query:
Search for POST requests to install/index.php containing script tags or JavaScript in parameters