CVE-2022-43707: Stored XSS vulnerability in MyBB Forum Software

CVE-2022-43707

The developers of the free and open-source forum software MyBB last week revealed three vulnerabilities patched in their products.

MyBB is a free and open source, community-based forum software project managed, developed, and supported by volunteers. Since its conception in 2002, the MyBB Group has been committed to developing the best forum software possible.

According to the MyBB Team, the first flaw, a persistent XSS vulnerability (CVE-2022-43707), exists in the visual MyCode editor (SCEditor), thus enabling remote attackers to inject HTML via user input or stored data.

The impact may be reduced when:

  • the Show the MyCode formatting options on the posting pages. option (User CP → Your Profile → Edit Options) is disabled for individual users, or
  • the Put the editor in source mode by default. option (User CP → Your Profile → Edit Options) is enabled for individual users, and the editor is not switched to preview (WYSIWYG) mode.

“SCEditor 2.1.3, bundled with MyBB, does not parse the provided content correctly, producing malformed output that results in an XSS vulnerability,” MyBB said in an advisory.

To reduce impact of CVE-2022-43707 without upgrading MyBB, the administrator can change the following setting (Admin CP → Configuration → Settings):

Besides the aforementioned vulnerability, version 1.8.32 also resolves two other security shortcomings that were identified by the MyBB Team, including:

  • CVE-2022-43708 (CVSS score: 7.5): Multiple cross-site scripting (XSS) vulnerabilities in the post Attachments interface allow attackers to inject HTML by persuading the user to upload a file with a specially crafted name.
  • CVE-2022-43709 (CVSS score: 7.2): SQL injection vulnerability in the Admin CP’s Users module allows remote authenticated users to modify the query string via direct user input or stored search filter settings.

MyBB users are advised to upgrade to the latest version (1.8.32) to mitigate the risk associated with the flaws.