MyBB Favicon plugin version 1.0 suffers from a cross site scripting vulnerability.
48e6211cff65bfb83fc11243b98216054981ee3a62b7f4384b54d20ecdc324e2# Exploit Title: MyBB [PGM] Favicon Plugin 1.0 – Cross-Site Scripting
# Date: May 2, 2023
# Author: 0xB9
# Twitter: @0xB9sec
# Software Link: https://community.mybb.com/mods.php?action=view&pid=1554
# Version: 1.0
# Tested On: Windows 10
Description:
The favicon input in the settings doesn’t sanitize the favicon URL.
Proof of Concept:
– In the admin dashboard go to Configuration > Settings > Favicon
– Enter the following payload in the URL input: “><script>alert(1)</script>.ico
– Visit any page on the forum to trigger the payload
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed