MyBB OUGC Awards 1.8.3 Cross Site Scripting

🗓️ 07 Jan 2019 00:00:00Reported by 0xB9Type

packetstorm🔗 packetstormsecurity.com👁 40 Views

MyBB OUGC Awards Plugin v1.8.3 Cross-Site Scripting CVE-2019-350

Reporter	Title	Published	Views	Family All 9
0day.today	MyBB OUGC Awards Plugin 1.8.3 - Persistent Cross-Site Scripting Vulnerability	7 Jan 201900:00	–	zdt
CNVD	MyBB OUGC Awards Plugin Cross-Site Scripting Vulnerability	4 Jan 201900:00	–	cnvd
CVE	CVE-2019-3501	2 Jan 201913:00	–	cve
Cvelist	CVE-2019-3501	2 Jan 201913:00	–	cvelist
Exploit DB	MyBB OUGC Awards Plugin 1.8.3 - Persistent Cross-Site Scripting	7 Jan 201900:00	–	exploitdb
EUVD	EUVD-2019-13138	7 Oct 202500:30	–	euvd
exploitpack	MyBB OUGC Awards Plugin 1.8.3 - Persistent Cross-Site Scripting	7 Jan 201900:00	–	exploitpack
NVD	CVE-2019-3501	2 Jan 201913:29	–	nvd
Prion	Cross site scripting	2 Jan 201913:29	–	prion

`# Exploit Title: MyBB OUGC Awards Plugin v1.8.3 - Cross-Site Scripting  
# Date: 12/31/2018  
# Author: 0xB9  
# Twitter: @0xB9Sec  
# Contact: 0xB9[at]pm.me  
# Software Link: https://community.mybb.com/mods.php?action=view&pid=396  
# Version: 1.8.3  
# Tested on: Ubuntu 18.04  
# CVE: CVE-2019-3501  
  
  
1. Description:  
OUGC Awards plugin for MyBB forum allows admins and moderators to grant awards to users which displays on profiles/posts. The reason input isn't sanitized on awards page and user profiles.  
  
  
2. Proof of Concept:  
  
- Have a mod account level or higher  
- Go to Manage Awards in ModCP  
- Give an award to a user and input payload for reason <script>alert('XSS')</script>  
  
- Payload executes when viewing award on awards.php and user profiles.  
  
  
3. Solution:  
Update to 1.8.19  
  
`

07 Jan 2019 00:00Current

0.1Low risk

Vulners AI Score0.1

EPSS0.00227