CVE-2023-46251

MyBB is a free and open source forum software. Custom MyCode (BBCode) for the visual editor (SCEditor) doesn't escape input properly when rendering HTML, resulting in a DOM-based XSS vulnerability. This weakness can be exploited by pointing a victim to a page where the visual editor is active (e.g. as a post or Private Message) and operates on a maliciously crafted MyCode message. This may occur on pages where message content is pre-filled using a GET/POST parameter, or on reply pages where a previously saved malicious message is quoted. The impact is be mitigated when: 1. the visual editor is disabled globally (Admin CP → Configuration → Settings → Clickable Smilies and BB Code: Clickable MyCode Editor is set to Off), or 2. the visual editor is disabled for individual user accounts (User CP → Your Profile → Edit Options: Show the MyCode formatting options on the posting pages