CVE-2020-15139
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2020-15139
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-15139.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2020-15139
- Aliases
-
- BIT-mybb-2020-15139
- GHSA-37h7-vfv6-f8rj
- Published
- 2020-08-10T22:15:14Z
- Modified
- 2024-10-12T06:10:59.683640Z
- Severity
-
- 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
- Summary
- [none]
- Details
-
In MyBB before version 1.8.24, the custom MyCode (BBCode) for the visual editor doesn't escape input properly when rendering HTML, resulting in a DOM-based XSS vulnerability. The weakness can be exploited by pointing a victim to a page where the visual editor is active (e.g. as a post or Private Message) and operates on a maliciously crafted MyCode message. This may occur on pages where message content is pre-filled using a GET/POST parameter, or on reply pages where a previously saved malicious message is quoted. After upgrading MyBB to 1.8.24, make sure to update the version attribute in the
codebuttonstemplate for non-default themes to serve the latest version of the patchedjscripts/bbcodes_sceditor.jsfile. - References
Affected packages
Git / github.com/mybb/mybb
Affected ranges
- Type
- GIT
- Repo
- https://github.com/mybb/mybb
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
Other
mybb_1800
mybb_1801
mybb_1804
mybb_1805
mybb_1806
mybb_1807
mybb_1808
mybb_1809
mybb_1810
mybb_1811
mybb_1812
mybb_1813
mybb_1814
mybb_1815
mybb_1815_build
mybb_1816
mybb_1816_build
mybb_1817
mybb_1817_build
mybb_1818
mybb_1818_build
mybb_1819
mybb_1819_build
mybb_1820
mybb_1820-rc
mybb_1820_build
mybb_1821
mybb_1821_build
mybb_1821pl1
mybb_1822
mybb_1822_build
mybb_1823
mybb_1823_build