0day.today - Biggest Exploit Database in the World.
![](/img/logo_green.jpg)
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earnGOLD
Administration of this site uses the official contacts. Beware of impostors!
![We DO NOT use Telegram or any messengers / social networks!](/img/no_telegram_big.png)
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
MyBB Visual Editor 1.8.18 Cross Site Scripting Vulnerability
Author
Risk
![](/img/risk/critlow_2.gif)
Security Risk Medium
]0day-ID
Category
Date add
CVE
Platform
[+] Title: MyBB Visual Editor Stored XSS <= v1.8.18 [+] Author: Numan OZDEMIR [+] Vendor Homepage: mybb.com [+] Software Link: https://mybb.com/download/ [+] Version: Up to v1.8.18. Fixed in v1.8.19. [+] PoC Video: https://numanozdemir.com/mybb/xss.mp4 [+] CVE: CVE-2018-17128 [+] Discovered by Numan OZDEMIR in InfinitumIT Labs [+] root@numanozdemir.com - info@infinitumit.com.tr [~] Description: Attacker can run JavaScript codes in victim user's browser while victim is replying a post. 'videotype' section causes this. [~] How to Reproduce: 1)- Enter to thread posting page. (newthread.php, enter title and content.) 2)- Click "insert a video" command. Select any source and insert any URL. 3)- Edit the video source with your payload. Or, directly add this code: [video=PAYLOAD]http://victim.com[/video] Example: [video=PA<svg/onload=alert('xss')>YLOAD]http://victim.com[/video] 4)- Post the thread. While victim user replying your post, his browser will run JavaScript. Vulnerable pages: editpost.php newreply.php private.php and all Visual Editor embedded pages. // for secure days... # 0day.today [2024-06-28] #