CVE-2008-4928

Name of the Vulnerable Software and Affected Versions MyBB version 1.4.2

Description A cross-site scripting (XSS) issue exists in the redirect function, allowing remote attackers to inject arbitrary web script or HTML via the url parameter in a removesubscriptions action to "moderation.php". This is related to the use of the ajax option to request a JavaScript redirect. It can be leveraged to execute PHP code and bypass cross-site request forgery (CSRF) protection.

Recommendations For MyBB version 1.4.2, consider disabling the redirect function in functions.php as a temporary workaround until a patch is available. Restrict access to the moderation.php endpoint to minimize the risk of exploitation. Avoid using the url parameter in the removesubscriptions action until the issue is resolved.