Vanilla Forum 2.6.3 Cross Site Scripting

Vanilla Forum version 2.6.3 suffers from a persistent cross site scripting vulnerability.


MD5 | 48c062d7b751d3dfff66a2561dec5c07

Download
# CVE-2020-8825
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8825
    
## Vendor:
    VanillaForum 

## Description:   
    It is possible to store xss payload in index.php?p=/dashboard/settings/branding. An attacker will store the xss payload on this section and when the user will visit the page then attacker will get all the sensitive information of the user.

## Environment:

    Version: 2.6.3
    OS: Windows 10, Linux
    PHP: 7
    URL: index.php?p=/dashboard/settings/branding
    
## Proof of Concept:
    https://github.com/hacky1997/CVE-2020-8825/blob/master/vanilla.png

## Assigned by:
  [Sayak Naskar](https://github.com/hacky1997/)



Source: packetstormsecurity.com
Related Posts