CVE-2008-4928
Description
Cross-site scripting (XSS) vulnerability in the redirect function in functions.php in MyBB (aka MyBulletinBoard) 1.4.2 allows remote attackers to inject arbitrary web script or HTML via the url parameter in a removesubscriptions action to moderation.php, related to use of the ajax option to request a JavaScript redirect. NOTE: this can be leveraged to execute PHP code and bypass cross-site request forgery (CSRF) protection.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
MyBB 1.4.2 has an XSS in the redirect function that can be leveraged for PHP code execution and CSRF bypass.
Vulnerability
MyBB (MyBulletinBoard) version 1.4.2 contains a cross-site scripting (XSS) vulnerability in the redirect function within functions.php. The flaw is triggered via the url parameter in a removesubscriptions action to moderation.php, specifically when the ajax option is used to request a JavaScript redirect. The input is not properly sanitized, allowing injection of arbitrary web script or HTML [1].
Exploitation
An attacker can craft a malicious URL containing JavaScript in the url parameter and trick a victim into clicking it. No authentication is required for the XSS itself, but the victim must be logged into MyBB for the attack to have full effect. The injected script can then be used to bypass cross-site request forgery (CSRF) protections and, according to the advisory, can be leveraged to execute PHP code [1].
Impact
Successful exploitation allows an attacker to inject arbitrary web script or HTML into the victim's browser session. This can lead to session hijacking, defacement, or theft of sensitive data. More critically, the advisory states that the XSS can be used to execute PHP code and bypass CSRF protection, potentially leading to full compromise of the MyBB installation [1].
Mitigation
No official patch or fixed version is mentioned in the available reference [1]. Users should monitor the MyBB project for updates and consider upgrading to a version beyond 1.4.2 if available. As of the publication date, no workaround is documented. This vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- archives.neohapsis.com/archives/bugtraq/2008-10/0212.htmlnvdExploit
- archives.neohapsis.com/archives/fulldisclosure/2008-10/0472.htmlnvdExploit
- archives.neohapsis.com/archives/bugtraq/2008-10/0203.htmlnvd
- www.openwall.com/lists/oss-security/2008/11/01/2nvd
- www.securityfocus.com/bid/31935nvd
- www.vupen.com/english/advisories/2008/2967nvd
News mentions
0No linked articles in our index yet.