MyBB Favicon 1.0 Cross Site Scripting

CVE Category Price Severity
N/A CWE-79 $500 High
Author Risk Exploitation Type Date
Unknown High Remote 2023-06-28
Our sensors found this exploit at:

Below is a copy:

MyBB Favicon 1.0 Cross Site Scripting
# Exploit Title: MyBB [PGM] Favicon Plugin 1.0  Cross-Site Scripting
# Date: May 2, 2023
# Author: 0xB9
# Twitter: @0xB9sec
# Software Link:
# Version: 1.0
# Tested On: Windows 10


The favicon input in the settings doesnt sanitize the favicon URL.

Proof of Concept:

 In the admin dashboard go to Configuration > Settings > Favicon
 Enter the following payload in the URL input: ><script>alert(1)</script>.ico
 Visit any page on the forum to trigger the payload

Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.