GD bbPress 2.5 Cross Site Scripting

2018.05.15
Credit: Luigi Gubello
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79

An authenticated user of a bbPress forum, who can attach a file, can inject arbitrary javascript code via filename. The arbitrary code runs both on the topic page and in the admin panel, and it only affects the administrators, moderators and the attacker. The variable $error[afilea] in /code/attachments/front.php (line 349) is not escaped. Public disclosure: https://www.gubello.me/blog/gd-bbpress-attachments-2-5-authenticated-stored-xss/ Video PoC: https://www.youtube.com/watch?v=n4xX0ODV1O4 Sent with [ProtonMail](https://protonmail.com) Secure Email.

References:

https://www.gubello.me/blog/gd-bbpress-attachments-2-5-authenticated-stored-xss/
https://www.youtube.com/watch?v=n4xX0ODV1O4


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top