MyBB OUGC Feedback Plugin 1.8.22 – Cross-Site Scripting

Exploit Database
38 阅读

作者： 0xB9

日期： 2021-03-11
类别：
- webapps
平台：
- php
来源：https://www.exploit-db.com/exploits/49635/

# Exploit Title: MyBB OUGC Feedback Plugin 1.8.22 - Cross-Site Scripting
# Date: 1/30/2021
# Author: 0xB9
# Twitter: @0xB9Sec
# Contact: 0xB9[at]pm.me
# Software Link: https://community.mybb.com/mods.php?action=view&pid=1220
# Version: 1.8.22
# Tested on: Windows 10
# CVE: CVE-2021-28115

1. Description:
This plugin adds a feedback system to your forum. Edit feedback button is vulnerable to XSS.

2. Proof of Concept:

- Go to a user profile
- Add feedback and leave the following payload as comment "><script>alert(1)</script>
- View the feedback feedback.php?uid=2 
- When clicking Edit payload will execute

last Exploits
MyBB OUGC Feedback Plugin 1.8.22 – Cross-Site Scripting的更多信息

NethServer 7.3.1611 – Cross-Site Request Forgery / Cross-Site Scripting：
Joomla! Component com_jnews 8.5.1 – SQL Injection：
WordPress Plugin Ninja Forms 3.3.13 – CSV Injection：
Joomla! Component com_hospital – SQL Injection：
Open Journal Systems (OJS) 2.3.6 – ‘index.php?authors[][url]’ Cross-Site Scripting：
Geutebruck 5.02024 G-Cam/EFD-2250 – ‘testaction.cgi’ Remote Command Execution (Metasploit)：
Fastweb Fastgate 0.00.81 – Remote Code Execution：
Joomla! Component com_realestatemanager 3.7 – SQL Injection：