mybb
mybb copied to clipboard
Upgrade SCEditor to 3.0
https://github.com/samclarke/SCEditor/releases/tag/v3.0.0
Wow, he is active again? This XSS vulnerability is serious?
I hope that for upcoming MyBB 1.9 you will choose better editor.
The XSS vulnerability might be the one we patched and pushed a fix for upstream, but I’ve not had time to look at the release notes properly yet.
On Wed, 7 Apr 2021, at 19:58, Eldenroot wrote:
Wow, he is active again? This XSS vulnerability is serious?
I hope that for upcoming MyBB 1.9 you will choose better editor.
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/mybb/mybb/issues/4355#issuecomment-815149548, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAFW24P5COE4563W6NUPWGTTHSTMNANCNFSM42QW6VMQ.
XSS in question is the same one that was fixed by the Mybb team. This is not a new XSS. Of course, the correction method is different.
for me, the change of editor should be postponed to 1.10. launching 1.9 with a new theme should be the priority.
There were two XSS vulns: one in the popups and one in the editor itself (see CVE-2019-19466—more details).
@live627 thanks for information.
for me about this issue https://github.com/samclarke/SCEditor/pull/767 the mybb team already fixed. I did not know that there was another one besides the one that was fixed in the question of xss.
If so, I apologize for providing incorrect information.