MyBB 1.8.2 'usercp.php' HTML Injection Vulnerability

high Nessus Network Monitor Plugin ID 8619

Synopsis

The remote web server is running a PHP application which is outdated and thus prone to an HTML injection vulnerability.

Description

The remote web server hosts MyBulletinBoard, a web-based discussion board application.

MyBB version 1.8.2 is prone to an HTML-injection vulnerability; other versions may also be affected. This is because it fails to sufficiently sanitize user-supplied input submitted to the 'usertitle' post parameter of the 'usercp.php' script. Attacker-supplied HTML or JavaScript code could run in the context of the affected site, compromising its contents or granting unauthorized access.

Solution

Upgrade to MyBB version 1.8.3 or higher.

See Also

http://www.nessus.org/u?273541d7

http://www.exploit-db.com/exploits/35266

Plugin Details

Severity: High

ID: 8619

Family: CGI

Published: 1/19/2015

Updated: 3/6/2019

Risk Information

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.2

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS v3

Risk Factor: High

Base Score: 7.3

Temporal Score: 6.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:mybb:mybb

Patch Publication Date: 11/17/2014

Vulnerability Publication Date: 11/17/2014

Reference Information

BID: 71270