Exploits / Vulnerability Discovered : 2018-09-24 |
Type : webapps |
Platform : php
This exploit / vulnerability Mybb visual editor 1.8.18 crosssite scripting is for educational purposes only and if it is used you will do on your own risk!
# Description:
# Attacker can run JavaScript codes in victim user's browser while victim is replying a post.
# 'videotype' section causes this.
# How to Reproduce:
1)- Enter to thread posting page. (newthread.php, enter title and content.)
2)- Click "insert a video" command. Select any source and insert any URL.
3)- Edit the video source with your payload.
Or, directly add this code:
# While victim user replying your post, his browser will run JavaScript.
# Vulnerable pages: editpost.php, newreply.php, private.php
# and all Visual Editor embedded pages.