XMB Forum Software
Not logged in [Login - Register]
Go To Bottom

Printable Version  
Author: Subject: [Security] BBCode Defect
XMB 1.9.12 Lead Developer


Posts: 462
Registered: 10-1-2002
Location: Florida
Member Is Offline

Mood: Past Three O'Clock

[*] posted on 4-16-2021 at 03:59 PM
[Security] BBCode Defect

Bug Source: XMB, all versions

Symptoms: Unexpected output, Javascript compromise (XSS)

Security Impact: High

ID: CVE-2021-29399

Disclosed by: Igor Sak-Sakovskiy, Positive Technologies

Fixed By: XMB and later are not affected. XMB also includes this patch.


Users or spammers could manipulate the website to reveal private information or misdirect other users by injecting browser scripts. This defect in the BBCode feature was disclosed privately so that a patch could be developed before any details were published. BBCode is a highly restrictive substitute for HTML that normally protects the website. This patch changes the way BBCode is processed within XMB to further reinforce the blocking of all scripts.

  • Servers running PHP 7 or PHP 8

  • Servers running PHP 5
    • If you installed XMB 1.9.11 - Files can be replaced or merged from XMB-
    • If you installed XMB 1.9.1 through 1.9.10 - Upgrade to version
    • Please consider updating your server with a new version of PHP.

  • Upgrade Instructions

Diff Options:

As an extra alternative, diff files are available for the previous patch levels. These are smaller and easier to apply to customized websites.
Please note that these patch levels do not provide PHP 8 compatibility.

Patch Instructions

Attachment: xmb-1.9.12-bbcode.patch (7kB)
This file has been downloaded 371 times

Attachment: xmb-1.9.11-bbcode.patch (6kB)
This file has been downloaded 366 times

Patching Unsupported Versions:

Attempting to modify versions less than 1.9.11 is strongly discouraged because the BBCode functions and related features are different in each version. XMB is the most secure version and the preferred solution.

View user's profile Visit user's homepage View All Posts By User

  Go To Top

Powered by XMB 1.9.12 (Debug Mode)
XMB Forum Software © 2001-2024 The XMB Group
[Queries: 16] [PHP: 27.3% - SQL: 72.7%]