CVE-2020-15139

Name of the Vulnerable Software and Affected Versions MyBB versions prior to 1.8.24

Description The issue arises from improper input escaping in the custom MyCode for the visual editor, leading to a DOM-based XSS vulnerability. This can be exploited by directing a victim to a page with the visual editor active, such as a post or Private Message, where it operates on a maliciously crafted MyCode message. Exploitation scenarios include pages with pre-filled message content using GET/POST parameters or reply pages quoting previously saved malicious messages.

Recommendations For versions prior to 1.8.24, upgrade to version 1.8.24 and ensure the version attribute in the codebuttons template is updated for non-default themes to serve the latest version of the patched jscripts/bbcodes sceditor.js file.