## https://sploitus.com/exploit?id=PACKETSTORM:173139
# Exploit Title: MyBB [PGM] Favicon Plugin 1.0 β Cross-Site Scripting
# Date: May 2, 2023
# Author: 0xB9
# Twitter: @0xB9sec
# Software Link: https://community.mybb.com/mods.php?action=view&pid=1554
# Version: 1.0
# Tested On: Windows 10
Description:
The favicon input in the settings doesnβt sanitize the favicon URL.
Proof of Concept:
β In the admin dashboard go to Configuration > Settings > Favicon
β Enter the following payload in the URL input: β><script>alert(1)</script>.ico
β Visit any page on the forum to trigger the payload