MyBB Community Forums

MyBB Community Forums > 1.8 Support > Installation and Upgrades Support > SCeditor Exploit
Full Version: SCeditor Exploit
You're currently viewing a stripped down version of our content. View the full version with proper formatting.

User 2877

2020-01-02, 07:39 PM
The "Low risk: SCEditor reflected XSS" fix in the latest update.

I see the patch file but it's huge and a mess and also my sites sceditor is a bit behind on updates.

Any chance I can see the actual Github issue so I can dissect this a bit easier?

This also leads me into asking why security issues even after they are resolved in a release are not viewable on the Github.

Devilshakerz

2020-01-02, 08:05 PM
https://github.com/samclarke/SCEditor/pull/763/files

User 2877

2020-01-02, 08:36 PM
Thank you sir! Exactly what I was looking for. Now was I blind or is that not really part of the "Issues" on the MyBB Github?

Devilshakerz

2020-01-02, 08:46 PM
(2020-01-02, 08:36 PM)labrocca Wrote: [ -> ]Thank you sir! Exactly what I was looking for. Now was I blind or is that not really part of the "Issues" on the MyBB Github?

The Pull Request to SCEditor was just opened, basing on our internal git diff for SCEditor source files (MyBB only ships with the minified .js version, which is why the security patch looked like garbage).
Not sure if it will make it to an actual SCEditor release (2.1.3 is from May 2018), but should help if any other projects use it.
MyBB Community Forums > 1.8 Support > Installation and Upgrades Support > SCeditor Exploit