{"id": "EDB-ID:46080", "type": "exploitdb", "bulletinFamily": "exploit", "title": "MyBB OUGC Awards Plugin 1.8.3 - Persistent Cross-Site Scripting", "description": "", "published": "2019-01-07T00:00:00", "modified": "2019-01-07T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://www.exploit-db.com/exploits/46080", "reporter": "Exploit-DB", "references": [], "cvelist": ["CVE-2019-3501"], "lastseen": "2019-01-07T16:58:49", "viewCount": 40, "enchantments": {"score": {"value": 4.1, "vector": "NONE", "modified": "2019-01-07T16:58:49", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2019-3501"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:482A8122D6448FD398DA118B03EDB6BA"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:151016"]}, {"type": "zdt", "idList": ["1337DAY-ID-31881"]}], "modified": "2019-01-07T16:58:49", "rev": 2}, "vulnersScore": 4.1}, "sourceHref": "https://www.exploit-db.com/download/46080", "sourceData": "# Exploit Title: MyBB OUGC Awards Plugin v1.8.3 - Cross-Site Scripting\r\n# Date: 12/31/2018\r\n# Author: 0xB9\r\n# Twitter: @0xB9Sec\r\n# Contact: 0xB9[at]pm.me\r\n# Software Link: https://community.mybb.com/mods.php?action=view&pid=396\r\n# Version: 1.8.3\r\n# Tested on: Ubuntu 18.04\r\n# CVE: CVE-2019-3501\r\n\r\n\r\n1. Description:\r\nOUGC Awards plugin for MyBB forum allows admins and moderators to grant awards to users which displays on profiles/posts. The reason input isn't sanitized on awards page and user profiles.\r\n \r\n\r\n2. Proof of Concept:\r\n\r\n- Have a mod account level or higher\r\n- Go to Manage Awards in ModCP\r\n- Give an award to a user and input payload for reason <script>alert('XSS')</script>\r\n\r\n- Payload executes when viewing award on awards.php and user profiles.\r\n\r\n\r\n3. Solution:\r\nUpdate to 1.8.19", "osvdbidlist": []}

{"cve": [{"lastseen": "2020-12-09T21:41:52", "description": "The OUGC Awards plugin before 1.8.19 for MyBB allows XSS via a crafted award reason that is mishandled on the awards page or in a user profile.", "edition": 6, "cvss3": {"exploitabilityScore": 1.7, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 4.8, "privilegesRequired": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 2.7}, "published": "2019-01-02T13:29:00", "title": "CVE-2019-3501", "type": "cve", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 3.5, "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-3501"], "modified": "2019-01-15T17:12:00", "cpe": [], "id": "CVE-2019-3501", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-3501", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N"}, "cpe23": []}], "packetstorm": [{"lastseen": "2019-01-08T02:43:55", "description": "", "published": "2019-01-07T00:00:00", "type": "packetstorm", "title": "MyBB OUGC Awards 1.8.3 Cross Site Scripting", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-3501"], "modified": "2019-01-07T00:00:00", "id": "PACKETSTORM:151016", "href": "https://packetstormsecurity.com/files/151016/MyBB-OUGC-Awards-1.8.3-Cross-Site-Scripting.html", "sourceData": "`# Exploit Title: MyBB OUGC Awards Plugin v1.8.3 - Cross-Site Scripting \n# Date: 12/31/2018 \n# Author: 0xB9 \n# Twitter: @0xB9Sec \n# Contact: 0xB9[at]pm.me \n# Software Link: https://community.mybb.com/mods.php?action=view&pid=396 \n# Version: 1.8.3 \n# Tested on: Ubuntu 18.04 \n# CVE: CVE-2019-3501 \n \n \n1. Description: \nOUGC Awards plugin for MyBB forum allows admins and moderators to grant awards to users which displays on profiles/posts. The reason input isn't sanitized on awards page and user profiles. \n \n \n2. Proof of Concept: \n \n- Have a mod account level or higher \n- Go to Manage Awards in ModCP \n- Give an award to a user and input payload for reason <script>alert('XSS')</script> \n \n- Payload executes when viewing award on awards.php and user profiles. \n \n \n3. Solution: \nUpdate to 1.8.19 \n \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/151016/mybbougcawards183-xss.txt"}], "zdt": [{"lastseen": "2019-01-22T00:38:22", "description": "Exploit for php platform in category web applications", "edition": 1, "published": "2019-01-07T00:00:00", "title": "MyBB OUGC Awards Plugin 1.8.3 - Persistent Cross-Site Scripting Vulnerability", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-3501"], "modified": "2019-01-07T00:00:00", "id": "1337DAY-ID-31881", "href": "https://0day.today/exploit/description/31881", "sourceData": "# Exploit Title: MyBB OUGC Awards Plugin v1.8.3 - Cross-Site Scripting\r\n# Author: 0xB9\r\n# Twitter: @0xB9Sec\r\n# Contact: 0xB9[at]pm.me\r\n# Software Link: https://community.mybb.com/mods.php?action=view&pid=396\r\n# Version: 1.8.3\r\n# Tested on: Ubuntu 18.04\r\n# CVE: CVE-2019-3501\r\n\r\n\r\n1. Description:\r\nOUGC Awards plugin for MyBB forum allows admins and moderators to grant awards to users which displays on profiles/posts. The reason input isn't sanitized on awards page and user profiles.\r\n \r\n\r\n2. Proof of Concept:\r\n\r\n- Have a mod account level or higher\r\n- Go to Manage Awards in ModCP\r\n- Give an award to a user and input payload for reason <script>alert('XSS')</script>\r\n\r\n- Payload executes when viewing award on awards.php and user profiles.\r\n\r\n\r\n3. Solution:\r\nUpdate to 1.8.19\n\n# 0day.today [2019-01-21] #", "cvss": {"score": 3.5, "vector": "AV:NETWORK/AC:MEDIUM/Au:SINGLE_INSTANCE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://0day.today/exploit/31881"}], "exploitpack": [{"lastseen": "2020-04-01T19:04:36", "description": "\nMyBB OUGC Awards Plugin 1.8.3 - Persistent Cross-Site Scripting", "edition": 1, "published": "2019-01-07T00:00:00", "title": "MyBB OUGC Awards Plugin 1.8.3 - Persistent Cross-Site Scripting", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-3501"], "modified": "2019-01-07T00:00:00", "id": "EXPLOITPACK:482A8122D6448FD398DA118B03EDB6BA", "href": "", "sourceData": "# Exploit Title: MyBB OUGC Awards Plugin v1.8.3 - Cross-Site Scripting\n# Date: 12/31/2018\n# Author: 0xB9\n# Twitter: @0xB9Sec\n# Contact: 0xB9[at]pm.me\n# Software Link: https://community.mybb.com/mods.php?action=view&pid=396\n# Version: 1.8.3\n# Tested on: Ubuntu 18.04\n# CVE: CVE-2019-3501\n\n\n1. Description:\nOUGC Awards plugin for MyBB forum allows admins and moderators to grant awards to users which displays on profiles/posts. The reason input isn't sanitized on awards page and user profiles.\n \n\n2. Proof of Concept:\n\n- Have a mod account level or higher\n- Go to Manage Awards in ModCP\n- Give an award to a user and input payload for reason <script>alert('XSS')</script>\n\n- Payload executes when viewing award on awards.php and user profiles.\n\n\n3. Solution:\nUpdate to 1.8.19", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N"}}]}