CVE-2014-9241

Vulnerability

MyBB versions 1.8.0 through 1.8.1 are affected by multiple cross-site scripting (XSS) vulnerabilities. The flaws exist in the type parameter of report.php, the signature parameter in the do_editsig action of usercp.php, the title parameter in the style-templates module's edit_template action, and the file parameter in the config-languages module's edit action of admin/index.php. MyBB 1.6.15 is not affected [1].

Exploitation

An attacker can exploit these vulnerabilities by crafting a malicious URL or form submission containing JavaScript in the vulnerable parameters. For report.php, no authentication is required. For usercp.php, the victim must be logged in and submit the signature edit form. The admin module vectors require an authenticated administrator to access the respective pages. The attacker does not need any special network position beyond being able to deliver the crafted link or form to the target user.

Impact

Successful exploitation allows an attacker to inject arbitrary web script or HTML into the context of the victim's browser. This can lead to session hijacking, defacement, or theft of sensitive data, depending on the victim's privileges. The impact is limited to the browser session of the targeted user.

Mitigation

The MyBB team released version 1.8.2 on November 13, 2014, which fixes these vulnerabilities [1]. Users should upgrade immediately. No workarounds are documented. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.