Advertisement






MyBB Upcoming Events Plugin 1.32 - Cross-Site Scripting

CVE Category Price Severity
CVE-2019-9650 CWE-79 $500 High
Author Risk Exploitation Type Date
CyberHax High Remote 2019-03-27
CVSS EPSS EPSSP
Not provided 0.02192 0.50148

CVSS vector description

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2019030227

Below is a copy:

MyBB Upcoming Events Plugin 1.32 - Cross-Site Scripting
# Exploit Title: MyBB Upcoming Events Plugin 1.32 - Cross-Site Scripting
# Date: 3/8/2019
# Author: Hacker0Seven
# Software Link: https://community.mybb.com/mods.php?action=view&pid=1231
# Version: 1.32
# Tested on: Ubuntu 18.04
# CVE: CVE-2019-9650


1. Description:
This plugin shows upcoming calendar events on the forum index and portal page. Event names are vulnerable to XSS.
 

2. Proof of Concept:

- Go to the calander.php page and add a new event
- Input a payload for the event name   <script>alert('XSS')</script>

Payload will be executed on index.php



3. Solution:
Update to 1.33

Copyright ©2024 Exploitalert.

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum