Bug Source: XMB, all versions
Symptoms: Unexpected output, Javascript compromise (XSS)
Security Impact: High
ID: CVE-2021-29399
Disclosed by: Igor Sak-Sakovskiy,
Positive Technologies
Fixed By:
XMB 1.9.12.03 and later are not affected.
XMB 1.9.11.16 also includes this patch.
Discussion:
Users or spammers could manipulate the website to reveal private information or misdirect other users by injecting browser scripts. This defect in
the BBCode feature was disclosed privately so that a patch could be developed before any details were published. BBCode is a highly restrictive
substitute for HTML that normally protects the website. This patch changes the way BBCode is processed within XMB to further reinforce the blocking
of all scripts.
Recommendations:
Servers running PHP 7 or PHP 8
Servers running PHP 5
If you installed XMB 1.9.11 - Files can be replaced or merged from XMB-1.9.11.16.zip
If you installed XMB 1.9.1 through 1.9.10 - Upgrade to version 1.9.11.16.
Please consider updating your server with a new version of PHP.
Upgrade Instructions
Diff Options:
As an extra alternative, diff files are available for the previous patch levels. These are smaller and easier to apply to customized websites.
Please note that these patch levels do not provide PHP 8 compatibility.
Patch Instructions
Attachment:
xmb-1.9.12-bbcode.patch (7kB)
This file has been downloaded 412 times
Attachment:
xmb-1.9.11-bbcode.patch (6kB)
This file has been downloaded 402 times
Patching Unsupported Versions:
Attempting to modify versions less than 1.9.11 is strongly discouraged because the BBCode functions and related features are different in each
version. XMB 1.9.12.03 is the most secure version and the preferred solution.