Exploits / Vulnerability Discovered : 2019-01-07 |
Type : webapps |
Platform : php
This exploit / vulnerability Mybb ougc awards plugin 1.8.3 persistent crosssite scripting is for educational purposes only and if it is used you will do on your own risk!
1. Description:
OUGC Awards plugin for MyBB forum allows admins and moderators to grant awards to users which displays on profiles/posts. The reason input isn't sanitized on awards page and user profiles.
2. Proof of Concept:
- Have a mod account level or higher
- Go to Manage Awards in ModCP
- Give an award to a user and input payload for reason <script>alert('XSS')</script>
- Payload executes when viewing award on awards.php and user profiles.