PT-2019-9050 · Mybb · Ban List Plugin

0Xb9

Published

2019-03-18

Updated

2019-03-26

CVE-2018-14724

CVSS v3.1

5.4

Medium

Vector

AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions Ban List plugin version 1.0 for MyBB

Description The issue allows any forum user with mod privileges to input an XSS payload into the ban reason. This payload is then executed on the bans.php page, potentially leading to malicious script execution.

Recommendations For Ban List plugin version 1.0, consider disabling the ability for mod-privileged users to input custom ban reasons until a patch is available to prevent XSS payload execution. Restrict access to the bans.php page to minimize the risk of exploitation.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2018-14724

Affected Products

Ban List Plugin

PT-2019-9050 · Mybb · Ban List Plugin

CVE-2018-14724

Weakness Enumeration

Related Identifiers

Affected Products

References · 3