[Pushed] Theme name in administrator logs
This really isn't a security issue at all, but it should be fixed nonetheless. If you edit something in a theme named <SCRIPT>alert("XSS")</SCRIPT>, you will get a popup on the admin logs page. It doesn't look like there's a htmlspecialchars_uni present for any of the records.

Proof of concept:

Thank you for your report. We have pushed this issue to our Github repository for further analysis where you can track our commits and progress with fixing this bug. Discussions regarding this bug may also take place there too.

Follow this link to visit the issue on Github: https://github.com/mybb/mybb/issues/27

Thanks for contributing to MyBB!

The MyBB Group

Forum Jump:

Users browsing this thread: 1 Guest(s)