MyBB Favicon 1.0 Cross Site Scripting

2023.06.28
Credit: 0xB9
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79

# Exploit Title: MyBB [PGM] Favicon Plugin 1.0 – Cross-Site Scripting # Date: May 2, 2023 # Author: 0xB9 # Twitter: @0xB9sec # Software Link: https://community.mybb.com/mods.php?action=view&pid=1554 # Version: 1.0 # Tested On: Windows 10 Description: The favicon input in the settings doesn’t sanitize the favicon URL. Proof of Concept: – In the admin dashboard go to Configuration > Settings > Favicon – Enter the following payload in the URL input: “><script>alert(1)</script>.ico – Visit any page on the forum to trigger the payload


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top