XMB Forum Persistent Cross-Site Scripting Vulnerability

A persistent cross-site scripting vulnerability has been identified in XMB Forum version 1.9.12.06. This vulnerability allows authenticated administrators to inject malicious JavaScript into templates and front page settings. The injected scripts are executed for all users when the affected pages are viewed. The vulnerability can be exploited by inserting XSS payloads into footer templates or news ticker fields, with the scripts being executed in the context of the user viewing the forum.

Impact

Exploitation of this vulnerability allows for persistent cross-site scripting, where injected scripts are executed in the browsers of users visiting the forum, potentially leading to session hijacking, data theft, or other malicious activities.

Reproduction

To reproduce this vulnerability, log in as an administrator and navigate to the administration panel. XSS payloads can be injected into the footer template or the 'News in Newsticker' field under Front Page Options. After saving the changes, the payload will execute when the corresponding template or news ticker is displayed.