CVE-2019-9650

An attacker with the ability to create or edit events (typically a forum user who can post calendar events) can craft a malicious event name containing JavaScript payloads, such as `<script>alert(1)</script>` [ref_id=1]. When the Upcoming Events plugin renders the event list on the index or portal page, the unsanitized name is injected directly into the page HTML, causing the script to execute in the context of any user who views the affected page. No authentication beyond standard event-creation privileges is required.

The vulnerability is in `upcoming_events.php` within the Upcoming Events plugin for MyBB. The `get_upcoming_events()` function retrieves event names from the database and passes them unsanitized into template variables such as `$event['link']`, which are then rendered via `$lang->sprintf()` calls like `$lang->upcoming_events_eventline` and `$lang->upcoming_events_created` [ref_id=1]. No escaping or HTML sanitization is applied to the event name before it is output.

The patch sanitizes event names and usernames by wrapping them with `htmlspecialchars()` before they are used in output [ref_id=1]. This converts HTML special characters like `<` and `>` into their safe entity equivalents, preventing any injected script tags from being interpreted by the browser. The fix is applied to the data retrieved in `get_upcoming_events()` so that all downstream template rendering receives escaped strings.

1. Log in to the MyBB forum as a user who can create calendar events. 2. Create a new event with a name containing a JavaScript payload, e.g. `<script>alert(document.cookie)</script>`. 3. Navigate to the forum index or portal page where the Upcoming Events plugin displays events. 4. Observe that the injected script executes in the browser, confirming stored XSS [ref_id=1].