Share
## https://sploitus.com/exploit?id=PACKETSTORM:173139
# Exploit Title: MyBB [PGM] Favicon Plugin 1.0 – Cross-Site Scripting  
# Date: May 2, 2023  
# Author: 0xB9  
# Twitter: @0xB9sec  
# Software Link: https://community.mybb.com/mods.php?action=view&pid=1554  
# Version: 1.0  
# Tested On: Windows 10  
  
Description:  
  
The favicon input in the settings doesn’t sanitize the favicon URL.  
  
Proof of Concept:  
  
– In the admin dashboard go to Configuration > Settings > Favicon  
– Enter the following payload in the URL input: β€œ><script>alert(1)</script>.ico  
– Visit any page on the forum to trigger the payload