Advertisement






MyBB Favicon 1.0 Cross Site Scripting

CVE Category Price Severity
N/A CWE-79 $500 High
Author Risk Exploitation Type Date
Unknown High Remote 2023-06-28
CVSS
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2023060068

Below is a copy:

MyBB Favicon 1.0 Cross Site Scripting
# Exploit Title: MyBB [PGM] Favicon Plugin 1.0  Cross-Site Scripting
# Date: May 2, 2023
# Author: 0xB9
# Twitter: @0xB9sec
# Software Link: https://community.mybb.com/mods.php?action=view&pid=1554
# Version: 1.0
# Tested On: Windows 10

Description:

The favicon input in the settings doesnt sanitize the favicon URL.

Proof of Concept:

 In the admin dashboard go to Configuration > Settings > Favicon
 Enter the following payload in the URL input: ><script>alert(1)</script>.ico
 Visit any page on the forum to trigger the payload

Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.