CVE-2018-25248
CVE-2018-25248
5.1
MediumPublished:
Last updated:
Source:disclosure@vulncheck.com
Analyzed
Weakness (CWE)
CVSS Vector
v4.0- Attack Vector
- Network
- Attack Complexity
- Low
- Attack Requirements
- None
- Privileges Required
- Low
- User Interaction
- Passive
- Confidentiality (Vulnerable)
- None
- Integrity (Vulnerable)
- None
- Availability (Vulnerable)
- None
- Confidentiality (Subsequent)
- Low
- Integrity (Subsequent)
- Low
- Availability (Subsequent)
- None
Description
MyBB Downloads Plugin 2.0.3 contains a persistent cross-site scripting vulnerability that allows regular members to inject malicious scripts through the download title field. Attackers can submit a new download with HTML/JavaScript code in the title parameter, which executes when administrators validate the download in downloads.php.
References
disclosure@vulncheck.com
https://community.mybb.com/mods.php?action=view&pid=854disclosure@vulncheck.com
https://www.exploit-db.com/exploits/44400disclosure@vulncheck.com
https://www.vulncheck.com/advisories/mybb-downloads-plugin-persistent-xss-via-downloads-php