MyBB Like Plugin 3.0.0 – Cross-Site Scripting

Exploit Database
79 阅读

作者： 0xB9

日期： 2018-08-10
类别：
- webapps
平台：
- php
来源：https://www.exploit-db.com/exploits/45179/

# Exploit Title: MyBB Like Plugin 3.0.0 - Cross-Site Scripting
# Date: 2018-08-01
# Author: 0xB9
# Twitter: @0xB9Sec
# Software Link: https://community.mybb.com/mods.php?action=view&pid=360
# Version: 3.0.0
# Tested on: Ubuntu 18.04
# CVE: N/A

# 1. Description:
# This plugin allows users to thank/like other users threads/posts. 
# In user profiles it shows your most liked post/thread, the post/thread 
# subjects aren't sanitized to user input.
 
# 2. Proof of Concept:

- Use the following as the post/thread subject<script>alert('XSS')</script>
- Get that post/thread liked by another user (or you)
- Visit your profile to see alert.

last Exploits
MyBB Like Plugin 3.0.0 – Cross-Site Scripting的更多信息

Joomla! Component com_xcloner-backupandrestore – Remote Command Execution：
Affiliate Niche Script 3.4.0 – SQL Injection：
Tailor Management System 1.0 – Unrestricted File Upload to Remote Code Execution：
M/Monit 3.7.4 – Password Disclosure：
Drupal Module CKEditor 3.0 < 3.6.2 - Persistent EventHandler Cross-Site Scripting：
HostBill App 2.3 – Remote Code Injection：
Free School Management Software 1.0 – Remote Code Execution (RCE)：
Joomla! Component cinema – SQL Injection：