CVE-2023-34461

Name of the Vulnerable Software and Affected Versions PyBB versions 0.1.0

Description A manual code review of the PyBB bulletin board server revealed a vulnerability that allows users to submit any type of HTML tag, which can be executed. For example, a malicious <a> tag, such as <a href=javascript:alert (1)>xss</a>, can be used to run code through JavaScript on the client side. Attackers need posting privilege to exploit this issue.

Recommendations For version 0.1.0, upgrade to version 0.1.1 to resolve the issue. As a temporary workaround for users unable to upgrade, consider removing the ability to create posts. Alternatively, remove the |safe tag from the Jinja2 template titled "post.html" in templates. Another option is to add manual validation of links in the post creation section.