CVE-2023-53978
BaseFortify
Publication date: 2025-12-22
Last updated on: 2025-12-27
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mybb | mybb | 1.8.26 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2023-53978 is a stored cross-site scripting (XSS) vulnerability in myBB Forums version 1.8.26. It occurs in the forum announcement system where authenticated administrators can inject malicious JavaScript code into the announcement title field when creating announcements. This malicious script is then stored and executed whenever the announcement is displayed on the forum, allowing arbitrary JavaScript execution in the context of users viewing the announcement. [1, 3]
How can this vulnerability impact me? :
This vulnerability can lead to arbitrary JavaScript execution in the browser of anyone viewing the affected forum announcements. Potential impacts include session hijacking, defacement of the forum, or other malicious actions performed by the injected script. Since the attack requires an authenticated administrator to inject the script, the risk involves compromised administrator accounts or insider threats. [1, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to inject typical XSS payloads into the announcement title field via the 'Forums and Posts' > 'Forum Announcements' interface as an authenticated administrator. For example, using HTTP POST requests with payloads like `"><img src=x onerror=alert(1)>` or `<script>alert(1)</script>` in the announcement title and then checking if the payload executes when the announcement is displayed. Detection can be performed by monitoring HTTP requests and responses to the forum announcements add endpoint and verifying if injected scripts are rendered unsanitized. Specific commands include using curl to send POST requests with malicious payloads to the announcement creation endpoint and then using curl or a browser to GET the forum homepage to see if the script executes. Example curl command to test injection: `curl -X POST -d "title=\"><img src=x onerror=alert(1)>" -d "message=Test" https://your-forum.com/admin/index.php?module=forum-announcements&action=add` followed by checking the forum homepage for script execution. [3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting administrator access to trusted users only, avoiding the creation or editing of forum announcements until a patch or fix is applied, and monitoring for suspicious announcement titles containing script tags or unusual HTML. Additionally, applying input validation and output encoding on the announcement title field to prevent script injection is critical. If available, update myBB Forums to a version where this vulnerability is fixed. As a temporary workaround, disable or restrict the forum announcement feature for administrators until a patch is applied. [1, 3]