MyBB OUGC Awards 1.8.3 Cross Site Scripting

2019.01.08

Credit: 0xB9

Risk: Low

Local: No

Remote: Yes

CVE: CVE-2019-3501

CWE: CWE-79

CVSS Base Score: 3.5/10

Impact Subscore: 2.9/10

Exploitability Subscore: 6.8/10

Exploit range: Remote

Attack complexity: Medium

Authentication: Single time

Confidentiality impact: None

Integrity impact: Partial

Availability impact: None

# Exploit Title: MyBB OUGC Awards Plugin v1.8.3 - Cross-Site Scripting
# Date: 12/31/2018
# Author: 0xB9
# Twitter: @0xB9Sec
# Contact: 0xB9[at]pm.me
# Software Link: https://community.mybb.com/mods.php?action=view&pid=396
# Version: 1.8.3
# Tested on: Ubuntu 18.04
# CVE: CVE-2019-3501
1. Description:
OUGC Awards plugin for MyBB forum allows admins and moderators to grant awards to users which displays on profiles/posts. The reason input isn't sanitized on awards page and user profiles.
2. Proof of Concept:
- Have a mod account level or higher
- Go to Manage Awards in ModCP
- Give an award to a user and input payload for reason <script>alert('XSS')</script>
- Payload executes when viewing award on awards.php and user profiles.
3. Solution:
Update to 1.8.19

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

MyBB OUGC Awards 1.8.3 Cross Site Scripting

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.