Affects all platforms supported by the vulnerable versions.
Description
Phishing. Using some BB-Code options, users can place content outside posts and other messages. For example, a user can place an invisible link over legitimate site navigation links and direct users to another web site that looks like a legitimate login page. Does not affect Lite versions.
The versions listed below are known to be affected by this issue. If you are using one of those versions, you should update to a newer release that has no known vulnerabilities.
Notes
The patch hides content that flows outside permitted content boxes and makes it more difficult for users to achieve this effect using BB-Code alone. However, users are still permitted to post content in non-standard places, such as header integrations, sidebar blocks, etc.
Phishing attacks are always possible as long as users can post links on your web site, although they may be less effective when the links appear within the visual bounds of a user's post. Phishing vulnerabilities are considered mitigated if it is clear that a user posted the link or the link otherwise appears in the content-area of the page. In many cases, the only real defense against such attacks is vigilance by the victim -- making sure that the address bar still represents the expected site.
This site uses cookies to help personalize content, to tailor your experience, and to keep you logged in if you register.
By continuing to use this site, you are consenting to our use of cookies.
