MyBB ChangUonDyU Plugin 1.0.2 – Cross-Site Scripting

Exploit Database
16 阅读

作者： 0xB9

日期： 2018-05-29
类别：
- webapps
平台：
- php
来源：https://www.exploit-db.com/exploits/44795/

# Exploit Title: MyBB ChangUonDyU Advanced Statistics Plugin v1.0.2 - Cross-Site Scripting
# Date: 5/25/2018
# Author: 0xB9
# Twitter: @0xB9Sec
# Contact: 0xB9[at]pm.me
# Software Link: https://community.mybb.com/mods.php?action=view&pid=1125
# Version: 1.0.2
# Tested on: Ubuntu 18.04
# CVE: CVE-2018-11532


1. Description:
This plugin displays advanced statistics on the index page such as latest posts with auto refresh using AJAX.
 

 
2. Proof of Concept:
Create a new thread with the following payload as the title<svg onload=alert('XSS')>

The alert will appear on the index page



3. Solution:
Update to the latest release

last Exploits
MyBB ChangUonDyU Plugin 1.0.2 – Cross-Site Scripting的更多信息

LogicalDOC Enterprise 7.7.4 – User Enumeration：
ECommerceMajor – ‘productdtl.php?prodid’ SQL Injection：
Dell OpenManage Server Administrator 8.3 – XML External Entity：
PHP Search Engine 1.0 – SQL Injection：
PHP Ringtone Website – ‘ringtones.php’ Multiple Cross-Site Scripting Vulnerabilities：
PHPJunkYard GBook 1.6/1.7 – Multiple Cross-Site Scripting Vulnerabilities：
Kubeit CMS – SQL Injection：
WebGlimpse 2.x – ‘wgarcmin.cgi’ Full Path Disclosure：