|
Description
|
|
A weakness and a vulnerability have been reported in the Recent Topics on Index page plugin for MyBB, which can be exploited by malicious users to conduct script insertion attacks and by malicious people to bypass certain security restrictions.
1) Input passed via the "subject" parameter to newthread.php (when "action" is set to "do_newthread") is not properly sanitised in inc/plugins/recenttopicsindex.php before being displayed to the user. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when the malicious thread is being viewed.
The vulnerability is confirmed in version 1.0.
2) The plugin does not properly enforce MyBB forum permissions, which can lead to e.g. disclosure of forum topics that are hidden for certain access groups.
The weakness is reported in versions prior to 1.0.2.
|
