19 lines
No EOL
613 B
Text
19 lines
No EOL
613 B
Text
# Exploit Title: MyBB OUGC Feedback Plugin 1.8.22 - Cross-Site Scripting
|
|
# Date: 1/30/2021
|
|
# Author: 0xB9
|
|
# Twitter: @0xB9Sec
|
|
# Contact: 0xB9[at]pm.me
|
|
# Software Link: https://community.mybb.com/mods.php?action=view&pid=1220
|
|
# Version: 1.8.22
|
|
# Tested on: Windows 10
|
|
# CVE: CVE-2021-28115
|
|
|
|
1. Description:
|
|
This plugin adds a feedback system to your forum. Edit feedback button is vulnerable to XSS.
|
|
|
|
2. Proof of Concept:
|
|
|
|
- Go to a user profile
|
|
- Add feedback and leave the following payload as comment "><script>alert(1)</script>
|
|
- View the feedback feedback.php?uid=2
|
|
- When clicking Edit payload will execute |