CVE-2023-53978
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-22

Last updated on: 2025-12-27

Assigner: VulnCheck

Description
myBB Forums 1.8.26 contains a stored cross-site scripting vulnerability in the forum announcement system that allows authenticated administrators to inject malicious scripts when creating announcements. Attackers can exploit this vulnerability by inserting script payloads in the announcement title field when adding announcements through the 'Forums and Posts' > 'Forum Announcements' interface, causing arbitrary JavaScript to execute when the announcement is displayed on the forum.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-22
Last Modified
2025-12-27
Generated
2026-06-16
AI Q&A
2025-12-23
EPSS Evaluated
2026-06-15
NVD
CVE-2023-53978
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
mybb mybb 1.8.26
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2023-53978 is a stored cross-site scripting (XSS) vulnerability in myBB Forums version 1.8.26. It occurs in the forum announcement system where authenticated administrators can inject malicious JavaScript code into the announcement title field when creating announcements. This malicious script is then stored and executed whenever the announcement is displayed on the forum, allowing arbitrary JavaScript execution in the context of users viewing the announcement. [1, 3]

Impact Analysis

This vulnerability can lead to arbitrary JavaScript execution in the browser of anyone viewing the affected forum announcements. Potential impacts include session hijacking, defacement of the forum, or other malicious actions performed by the injected script. Since the attack requires an authenticated administrator to inject the script, the risk involves compromised administrator accounts or insider threats. [1, 3]

Detection Guidance

This vulnerability can be detected by attempting to inject typical XSS payloads into the announcement title field via the 'Forums and Posts' > 'Forum Announcements' interface as an authenticated administrator. For example, using HTTP POST requests with payloads like `"><img src=x onerror=alert(1)>` or `<script>alert(1)</script>` in the announcement title and then checking if the payload executes when the announcement is displayed. Detection can be performed by monitoring HTTP requests and responses to the forum announcements add endpoint and verifying if injected scripts are rendered unsanitized. Specific commands include using curl to send POST requests with malicious payloads to the announcement creation endpoint and then using curl or a browser to GET the forum homepage to see if the script executes. Example curl command to test injection: `curl -X POST -d "title=\"><img src=x onerror=alert(1)>" -d "message=Test" https://your-forum.com/admin/index.php?module=forum-announcements&action=add` followed by checking the forum homepage for script execution. [3]

Mitigation Strategies

Immediate mitigation steps include restricting administrator access to trusted users only, avoiding the creation or editing of forum announcements until a patch or fix is applied, and monitoring for suspicious announcement titles containing script tags or unusual HTML. Additionally, applying input validation and output encoding on the announcement title field to prevent script injection is critical. If available, update myBB Forums to a version where this vulnerability is fixed. As a temporary workaround, disable or restrict the forum announcement feature for administrators until a patch is applied. [1, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2023-53978. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart