CVE-2018-25309
MyBB Recent threads 17.0 Persistent Cross-Site Scripting
In short
MyBB Recent threads 17.0 allows attackers to inject malicious scripts into thread subject lines, which then execute in the browsers of all users viewing the site's index page. This can be used to steal user information or perform unwanted actions on their behalf.
Technical detail
A persistent XSS vulnerability exists in MyBB 17.0's thread subject parameter where insufficient input sanitization allows attackers to inject script tags that execute in the context of other users' browsers. The attack requires the ability to create threads, and payloads persist in the database, affecting all users who view the index page displaying recent threads.
Summary generated and translated by AI from the official description.
MyBB Recent threads 17.0 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts by creating threads with crafted subject lines. Attackers can create threads with script tags in the subject parameter to execute arbitrary JavaScript in the browsers of all users viewing the index page.
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
Affected products
mybb · MyBB Recent threadspublic PoCs found — 1
cve_referencewww.exploit-db.com/exploits/44420unverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →