MyBB Latest Posts On Profile 1.1 Cross Site Scripting

2018.05.10

Credit: 0xB9

Risk: Low

Local: No

Remote: Yes

CVE: CVE-2018-10580

CWE: CWE-79

CVSS Base Score: 3.5/10

Impact Subscore: 2.9/10

Exploitability Subscore: 6.8/10

Exploit range: Remote

Attack complexity: Medium

Authentication: Single time

Confidentiality impact: None

Integrity impact: Partial

Availability impact: None

# Exploit Title: MyBB Latest Posts on Profile Plugin v1.1 - Cross-Site Scripting
# Date: 4/20/2018
# Author: 0xB9
# Contact: luxorforums.com/User-0xB9 or 0xB9[at]pm.me
# Software Link: https://community.mybb.com/mods.php?action=view&pid=914
# Version: 1.1
# Tested on: Ubuntu 17.10
# CVE: CVE-2018-10580
1. Description:
Adds a new section to user profiles that will display their last posts.
2. Proof of Concept:
Persistent XSS
- Create a thread with the following subject <script>alert('XSS')</script>
- Now visit your profile to see the alert.
3. Solution:
I reported the plugin twice over the past 3 weeks and recieved no response.
The following should be added in line 236 to properly sanitize thread subjects.
$d['tsubject'] = htmlspecialchars_uni($d['tsubject']);

See this note in RAW Version

Vote for this issue:

100%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

MyBB Latest Posts On Profile 1.1 Cross Site Scripting

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.