Home Tools Exploits & CVE's MyBB Favicon 1.0 Cross Site Scripting

MyBB Favicon 1.0 Cross Site Scripting

June 28, 2023

314

Authored by 0xB9

MyBB Favicon plugin version 1.0 suffers from a cross site scripting vulnerability.

# Exploit Title: MyBB [PGM] Favicon Plugin 1.0 – Cross-Site Scripting
# Date: May 2, 2023
# Author: 0xB9
# Twitter: @0xB9sec
# Software Link: https://community.mybb.com/mods.php?action=view&pid=1554
# Version: 1.0
# Tested On: Windows 10

Description:

The favicon input in the settings doesn’t sanitize the favicon URL.

Proof of Concept:

– In the admin dashboard go to Configuration > Settings > Favicon
– Enter the following payload in the URL input: “><script>alert(1)</script>.ico
– Visit any page on the forum to trigger the payload

MyBB Favicon 1.0 Cross Site Scripting

Follow us on Instagram @thecyberpost

EDITOR PICKS

osCommerce 4 Cross Site Scripting

undefinedExploiting The NT Kernel In 24H2undefined

Windows NtQueryInformationThread Double-Fetch / Arbitrary Write

POPULAR POSTS

ESET NOD32 Antivirus 17.1.11.0 Unquoted Service Path

Restaurant Reservation System Patches Easy-to-Exploit XSS Bug

Sniffle – A Sniffer For Bluetooth 5 And 4.X LE

POPULAR CATEGORY

ECOA Building Automation System Arbitrary File Deletion

Joomla Vik Rent Car 1.14 Cross Site Scripting

Telesquare TLR-2855KS6 Arbitrary File Deletion