Below is a copy: MyBB Upcoming Events Plugin 1.32 - Cross-Site Scripting
# Exploit Title: MyBB Upcoming Events Plugin 1.32 - Cross-Site Scripting
# Date: 3/8/2019
# Author: Hacker0Seven
# Software Link: https://community.mybb.com/mods.php?action=view&pid=1231
# Version: 1.32
# Tested on: Ubuntu 18.04
# CVE: CVE-2019-9650
1. Description:
This plugin shows upcoming calendar events on the forum index and portal page. Event names are vulnerable to XSS.
2. Proof of Concept:
- Go to the calander.php page and add a new event
- Input a payload for the event name <script>alert('XSS')</script>
Payload will be executed on index.php
3. Solution:
Update to 1.33
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum