1982f33252
16 changes to exploits/shellcodes AirDroid 4.2.1.6 - Denial of Service River Past Video Cleaner 7.6.3 - Local Buffer Overflow (SEH) Android - binder Use-After-Free via fdget() Optimization Android - binder Use-After-Free of VMA via race Between reclaim and munmap Skyworth GPON HomeGateways and Optical Network Terminals - Stack Overflow River Past Video Cleaner 7.6.3 - Local Buffer Overflow (SEH) runc< 1.0-rc6 (Docker < 18.09.2) - Host Command Execution Ubuntu snapd < 2.37.1 - Local Privilege Escalation IPFire 2.21 - Cross-Site Scripting MyBB Bans List 1.0 - Cross-Site Scripting IPFire 2.21 - Cross-Site Scripting MyBB Bans List 1.0 - Cross-Site Scripting Webiness Inventory 2.3 - 'email' SQL Injection OPNsense < 19.1.1 - Cross-Site Scripting Jenkins 2.150.2 - Remote Command Execution (Metasploit) BlogEngine.NET 3.3.6 - Directory Traversal / Remote Code Execution LayerBB 1.1.2 - Cross-Site Scripting
32 lines
No EOL
992 B
Text
32 lines
No EOL
992 B
Text
# Exploit Title: LayerBB 1.1.2 - Cross-Site Scripting
|
|
# Date: 11/19/2018
|
|
# Author: 0xB9
|
|
# Twitter: @0xB9Sec
|
|
# Contact: 0xB9[at]pm.me
|
|
# Software Link: https://forum.layerbb.com/downloads.php?view=file&id=28
|
|
# Version: 1.1.2
|
|
# Tested on: Ubuntu 18.04
|
|
# CVE: CVE-2019-7688
|
|
|
|
|
|
1. Description:
|
|
LayerBB is a free open-source forum software. The 2 XSS's found allows users to input a payload to Custom Profile Fields and the polls question & answers input via a new thread.
|
|
|
|
|
|
2. Proof of Concept:
|
|
|
|
PoC - Polls QnA
|
|
- Start a new thread
|
|
- Use a payload in the polls QnA input boxes <script>alert('XSS')</script>
|
|
- Anyone who views the thread will execute payload
|
|
|
|
PoC - Custom Profile Fields
|
|
- Create a Custom Profile Field in ACP
|
|
- Then use an account from any usergroup & edit profile
|
|
- Input a payload in the bottom "Additional Profile Fields" textbox <script>alert('XSS')</script>
|
|
- Anyone who views your profile will execute payload
|
|
|
|
|
|
|
|
3. Solution:
|
|
Update to 1.1.3 |