myBB Forums Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in myBB Forums version 1.8.26. This issue resides within the template management system, allowing authenticated administrators to inject malicious scripts while creating new templates. The vulnerability can be exploited by inserting script payloads into the template title field through the 'Templates and Style' > 'Templates' > 'Manage Templates' > 'Global Templates' interface. Once the template is viewed, the injected JavaScript executes, leading to potential malicious actions.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the template.

Reproduction

To reproduce this vulnerability, log in as an administrator and navigate to 'Templates and Style' > 'Templates' > 'Manage Templates' > 'Global Templates'. Select 'Add New Template' and enter a script payload in the title field. After saving the template, the injected script will execute when the template is viewed. This vulnerability can also be reproduced by injecting scripts into the 'Add New Forum' or 'Add Announcement' interfaces, with the same execution outcome.