Test ID:	1.3.6.1.4.1.25623.1.0.809094
Category:	Web application abuses
Title:	MyBB Multiple Cross Site Scripting Vulnerabilities
Summary:	MyBB Forum is prone to multiple cross site scripting vulnerabilities.
Description:	Summary: MyBB Forum is prone to multiple cross site scripting vulnerabilities. Vulnerability Insight: Multiple flaws are due to: - The profile editor of the moderator control panel does not properly encode the signature of a user when editing it. - An admin can allow HTML input for specific forums via the setting allowhtml. - An insufficient validation of username parameter in registration. - The files with extension .attach that contain HTML code can be uploaded and are interpreted as HTML files by some default server configurations. - The account activation form echoes a given code unencoded to the user. - In many of the update scripts including upgrade3.php, upgrade12.php, upgrade13.php, upgrade17.php, and upgrade30.php, POST values are echoed without proper encoding. - A CSS Injection error in 'search.php' script. Vulnerability Impact: Successful exploitation will allow remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session in context of an affected site and to bypass csrf protection. Affected Software/OS: MyBB version 1.8.6 Solution: Upgrade to MyBB version 1.8.7 or later. CVSS Score: 4.3 CVSS Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N
Copyright	Copyright (C) 2016 Greenbone AG

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit. To run a free test of this vulnerability against your system, register below.