MyBB Visual Editor Stored XSS <= v1.8.18

2018.09.22

Numan OZDEMIR (TR)

Risk: Low

Local: No

Remote: Yes

CVE: CVE-2018-17128

CWE: CWE-79

Dork: intext:"Powered By MyBB"

CVSS Base Score: 3.5/10

Impact Subscore: 2.9/10

Exploitability Subscore: 6.8/10

Exploit range: Remote

Attack complexity: Medium

Authentication: Single time

Confidentiality impact: None

Integrity impact: Partial

Availability impact: None

[+] Title: MyBB Visual Editor Stored XSS <= v1.8.18
[+] Author: Numan OZDEMIR
[+] Vendor Homepage: mybb.com
[+] Software Link: https://mybb.com/download/
[+] Version: Up to v1.8.18. Fixed in v1.8.19.
[+] PoC Video: https://numanozdemir.com/mybb/xss.mp4
[+] CVE: CVE-2018-17128
[+] Discovered by Numan OZDEMIR in InfinitumIT Labs
[+] root@numanozdemir.com - info@infinitumit.com.tr
 
[~] Description:
 
Attacker can run JavaScript codes in victim user's browser while victim is replying a post.
'videotype' section causes this.

[~] How to Reproduce:

1)- Enter to thread posting page. (newthread.php, enter title and content.)
2)- Click "insert a video" command. Select any source and insert any URL.
3)- Edit the video source with your payload.
Or, directly add this code:
[video=PAYLOAD]xxx[/video]
Example:
[video=PA<svg/onload=alert('xss')>YLOAD]xxx[/video]

4)- Post the thread.

While victim user replying your post, his browser will run JavaScript.
Vulnerable pages:
editpost.php
newreply.php
private.php
and all Visual Editor embedded pages.

// for secure days...

See this note in RAW Version

Vote for this issue:

100%

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

MyBB Visual Editor Stored XSS <= v1.8.18

Dork: intext:"Powered By MyBB"

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

MyBB Visual Editor Stored XSS <= v1.8.18

Dork: intext:"Powered By MyBB"

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.