MyBulletinBoard (MyBB) usercp.php User Profile website Field XSS
Remote / Network Access
Loss of Integrity
MyBulletinBoard (MyBB) contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate 'website' field upon submission to the User Profile script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.
Currently, there are no known workarounds or upgrades to correct this issue. However, MyBulletinBoard Group has released a patch to address this vulnerability.
MyBB is prone to an HTML injection vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input before using it in dynamically generated content.
Attacker-supplied HTML and script code would be executed in the context of the affected Web site, potentially allowing for theft of cookie-based authentication credentials. An attacker could also exploit this issue to control how the site is rendered to the user; other attacks are also possible.
No exploit is required.
The vendor has released a patch for this issue. Please see the referenced vendor security update for further information.