First published: Tue Aug 28 2018(Updated: )
An issue was discovered in inc/class_feedgeneration.php in MyBB 1.8.17. On the forum RSS Syndication page, one can generate a URL such as http://localhost/syndication.php?fid=&type=atom1.0&limit=15. The thread titles (within title elements of the generated XML documents) aren't sanitized, leading to XSS.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Mybb Mybb | =1.8.17 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID of this issue is CVE-2018-15596.
The severity of CVE-2018-15596 is medium with a CVSS score of 6.1.
The affected software of CVE-2018-15596 is MyBB version 1.8.17.
The vulnerability in MyBB 1.8.17 can be exploited by generating a URL on the forum RSS Syndication page that leads to un-sanitized thread titles in the generated XML documents.
Yes, a fix is available for CVE-2018-15596 in MyBB 1.8.18, which is a security maintenance release.