header-logo
Suggest Exploit
vendor:
ChangUonDyU Advanced Statistics Plugin
by:
0xB9
6.1
CVSS
MEDIUM
Cross-Site Scripting
79
CWE
Product Name: ChangUonDyU Advanced Statistics Plugin
Affected Version From: 1.0.2
Affected Version To: 1.0.2
Patch Exists: YES
Related CWE: CVE-2018-11532
CPE: MyBB/ChangUonDyU_Advanced_Statistics_Plugin
Metasploit: N/A
Other Scripts: N/A
Platforms Tested: Ubuntu 18.04
2018

MyBB ChangUonDyU Advanced Statistics Plugin v1.0.2 – Cross-Site Scripting

This plugin displays advanced statistics on the index page such as latest posts with auto refresh using AJAX. An attacker can create a new thread with a malicious payload as the title, which will execute the XSS code when loaded on the index page.

Mitigation:

Update to the latest release of the plugin
Source

Exploit-DB raw data:

# Exploit Title: MyBB ChangUonDyU Advanced Statistics Plugin v1.0.2 - Cross-Site Scripting
# Date: 5/25/2018
# Author: 0xB9
# Twitter: @0xB9Sec
# Contact: 0xB9[at]pm.me
# Software Link: https://community.mybb.com/mods.php?action=view&pid=1125
# Version: 1.0.2
# Tested on: Ubuntu 18.04
# CVE: CVE-2018-11532


1. Description:
This plugin displays advanced statistics on the index page such as latest posts with auto refresh using AJAX.
 

 
2. Proof of Concept:
Create a new thread with the following payload as the title  <svg onload=alert('XSS')>

The alert will appear on the index page



3. Solution:
Update to the latest release

Navigation

Suggest Exploit

Services By CQR