MyBB 1.8.x < 1.8.5 Multiple Vulnerabilities
Medium Nessus Network Monitor Plugin ID 9122
SynopsisThe remote web server is running a PHP application that is vulnerable to multiple attack vectors.
DescriptionVersions of MyBB (MyBulletinBoard) prior to 1.6.17, or 1.8.x prior to 1.8.5 are affected by the following vulnerabilities :
- A flaw exists that allows a stored cross-site scripting (XSS) attack. This flaw exists because the quick edit function in the '/xmlhttp.php' script does not validate input before returning it to users. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.
- A flaw exists that is triggered when sending an email to a user in 'member.php'. This flaw may allow a remote attacker to spoof the sender of the email.
SolutionUpgrade to MyBB version 1.8.5 or later.