myBB Forums Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in myBB Forums version 1.8.26. This issue resides within the forum announcement system, allowing authenticated administrators to inject malicious scripts. The vulnerability can be exploited by inserting script payloads into the announcement title field while creating announcements through the 'Forums and Posts' > 'Forum Announcements' interface. Once the announcement is displayed on the forum, the injected JavaScript executes, leading to potential exploitation.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the announcement.

Reproduction

To reproduce this vulnerability, log in as an administrator and navigate to 'Forums and Posts' > 'Forum Announcements'. Select 'Add Announcement' and enter a script payload, such as an image tag with an 'onerror' event, into the title field. After saving the announcement, the injected script will execute when the announcement is displayed on the forum.