MyBB New Threads Plugin 1.1 – Cross-Site Scripting

• Exploit Database
• 13 阅读

• 作者： 0xB9
  日期： 2018-07-19
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/45057/

• # Exploit Title: MyBB New Threads Plugin - Cross-Site Scripting
  # Date: 7/16/2018
  # Author: 0xB9
  # Twitter: @0xB9Sec
  # Contact: 0xB9[at]pm.me
  # Software Link: https://community.mybb.com/mods.php?action=view&pid=1143
  # Version: 1.1
  # Tested on: Ubuntu 18.04
  # CVE: CVE-2018-14392
  
  
  1. Description:
  New Threads is a plugin that displays new threads on the index page. The thread titles allow XSS.
   
  
  2. Proof of Concept:
  
  - Create a new thread with the following subject<script>alert('XSS')</script>
  - Visit the index page to see alert.
  
  
  3. Solution:
  Update to 1.2