GD bbPress 2.5 Cross Site Scripting

2018.05.15

Credit: Luigi Gubello

Risk: Low

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-79

An authenticated user of a bbPress forum, who can attach a file, can inject arbitrary javascript code via filename. The arbitrary code runs both on the topic page and in the admin panel, and it only affects the administrators, moderators and the attacker.
The variable $error[afilea] in /code/attachments/front.php (line 349) is not escaped.
Public disclosure: https://www.gubello.me/blog/gd-bbpress-attachments-2-5-authenticated-stored-xss/
Video PoC: https://www.youtube.com/watch?v=n4xX0ODV1O4
Sent with [ProtonMail](https://protonmail.com) Secure Email.

References:

https://www.gubello.me/blog/gd-bbpress-attachments-2-5-authenticated-stored-xss/

https://www.youtube.com/watch?v=n4xX0ODV1O4

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

GD bbPress 2.5 Cross Site Scripting

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.