VYPR
← All advisories
Unrated severityNVD Advisory· Published Jun 25, 2009· Updated Apr 23, 2026

CVE-2009-2217

CVE-2009-2217

Description

Cross-site scripting (XSS) vulnerability in NBBC before 1.4.2 allows remote attackers to inject arbitrary web script or HTML via an invalid URL in a BBCode img tag.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

NBBC before 1.4.2 allows XSS via invalid URL in BBCode [img] tag, leading to arbitrary script injection.

Vulnerability

The NBBC BBCode parser before version 1.4.2 fails to HTML-encode the rejected text when an invalid URL is passed to an [img] tag. This allows an attacker to inject arbitrary HTML and JavaScript into the output. [1][2][3]

Exploitation

An attacker can craft a BBCode message containing an [img] tag with an invalid URL that includes malicious script. When the parser processes this tag, it outputs the invalid URL without encoding, enabling cross-site scripting. No authentication is required if the application allows user-generated content. [1][2]

Impact

Successful exploitation allows the attacker to execute arbitrary web script or HTML in the context of the victim's browser, potentially leading to cookie theft, session hijacking, or defacement. The attack targets end-users viewing the content. [2][3]

Mitigation

The issue is fixed in NBBC version 1.4.2, released on 2009-06-21. Users should upgrade to this version or later. [1][2][3]

References
  1. NBBC / Bugs / #8 Security: [img] tags emit raw text for invalid URLs
  2. NBBC / Discussion / Help: Injection in [img] tags?
  3. NBBC / Discussion / Help: Injection in [img] tags?

AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

17
  • Phantom Inker/Nbbc16 versions
    cpe:2.3:a:phantom-inker:nbbc:*:*:*:*:*:*:*:*+ 15 more
    • cpe:2.3:a:phantom-inker:nbbc:*:*:*:*:*:*:*:*range: <=1.4.1
    • cpe:2.3:a:phantom-inker:nbbc:1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:phantom-inker:nbbc:1.0:rc:*:*:*:*:*:*
    • cpe:2.3:a:phantom-inker:nbbc:1.0:rc2:*:*:*:*:*:*
    • cpe:2.3:a:phantom-inker:nbbc:1.0:rc3:*:*:*:*:*:*
    • cpe:2.3:a:phantom-inker:nbbc:1.0:rc4:*:*:*:*:*:*
    • cpe:2.3:a:phantom-inker:nbbc:1.0:rc5:*:*:*:*:*:*
    • cpe:2.3:a:phantom-inker:nbbc:1.1:*:*:*:*:*:*:*
    • cpe:2.3:a:phantom-inker:nbbc:1.2:*:*:*:*:*:*:*
    • cpe:2.3:a:phantom-inker:nbbc:1.3:*:*:*:*:*:*:*
    • cpe:2.3:a:phantom-inker:nbbc:1.3.1:*:*:*:*:*:*:*
    • cpe:2.3:a:phantom-inker:nbbc:1.3.2:*:*:*:*:*:*:*
    • cpe:2.3:a:phantom-inker:nbbc:1.3.3:*:*:*:*:*:*:*
    • cpe:2.3:a:phantom-inker:nbbc:1.3.4:*:*:*:*:*:*:*
    • cpe:2.3:a:phantom-inker:nbbc:1.4.0:*:*:*:*:*:*:*
    • cpe:2.3:a:phantom-inker:nbbc:alpha:*:*:*:*:*:*:*
  • NBBC/NBBCllm-create
    Range: <1.4.2

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

6

News mentions

0

No linked articles in our index yet.