MyBB CVE-2023-46251 – Stored DOM XSS

MyBB CVE-2023-46251 – Stored DOM XSS

by Prapattimynk

Custom MyCode (BBCode) for the visual editor (SCEditor) doesn't escape input properly when rendering HTML, resulting in a DOM-based XSS vulnerability.The weakness can be exploited by pointing a victim

Android Android 5.0Exploits And POCs
( 570 ratings )
Price: $0
File CVE-2023-46251 - Stored DOM XSS MyBB
Publisher Prapattimynk
Genre Exploits And POCs
File Type
Os -
Mod Version
Report Report
CVE-2023-46251 - Stored DOM XSS MyBB is the most famous version in the CVE-2023-46251 - Stored DOM XSS MyBB series of publisher
Download

Custom MyCode (BBCode) for the visual editor (SCEditor) doesn’t escape input properly when rendering HTML, resulting in a DOM-based XSS vulnerability.

The weakness can be exploited by pointing a victim to a page where the visual editor is active (e.g. as a post or Private Message) and operates on a maliciously crafted MyCode message. This may occur on pages where message content is pre-filled using a GET/POST parameter, or on reply pages where a previously saved malicious message is quoted.

The impact is be reduced when:

  • the visual editor is disabled globally (Admin CP → Configuration → Settings → Clickable Smilies and BB Code: Clickable MyCode Editor is set to Off), or
  • the visual editor is disabled for individual user accounts (User CP → Your Profile → Edit OptionsShow the MyCode formatting options on the posting pages checkbox is not checked).

Usage:

[size='1337px;\">>\<img/src=ccc/ onerror=alert`1`//id=name //&pt;']eviltext[/size]
CVE 2023 46251 Stored DOM XSS
CVE 2023 46251 Stored DOM XSS


Recommended for You

You may also like

Comments

Your email address will not be published. Required fields are marked *

Next Post X
Ads Blocker Image Powered by Code Help Pro

AdBlocker Detected!!!

We have detected that you are using extensions to block ads. Please support us by disabling these ads blocker.