Headline
MyBB Export User 2.0 Cross Site Scripting
MyBB Export User plugin version 2.0 suffers from a cross site scripting vulnerability.
# Exploit Title: MyBB Export User Plugin 2.0 – Cross-Site Scripting# Date: January 29, 2021# Author: 0xB9# Twitter: @0xB9sec# Software Link: https://community.mybb.com/mods.php?action=view&pid=1408# Version: 2.0# Tested On: Windows 10# CVE: CVE-2023-27890Description:This plugin allows users to request their data to export. XSS occurs when admin is generating data for user.Proof of Concept:– As a regular user go to User CP -> Edit Profile– Add a payload in Custom User Title, Location, or Bio <script>alert(1)</script>– Request your data via User CP -> DSGVO data request– Login as admin you will be notified a user wants their data– When generating the users data their payload will executeRelated news
CVE-2023-27890: MyBB Export User 2.0 Cross Site Scripting ≈ Packet Storm
** UNSUPPORTED WHEN ASSIGNED ** The Export User plugin through 2.0 for MyBB allows XSS during the process of an admin generating DSGVO data for a user, via the Custom User Title, Location, or Bio field. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.