Carbon Forum Persistent Cross-Site Scripting Vulnerability

A persistent cross-site scripting vulnerability has been identified in Carbon Forum version 5.9.0. This vulnerability allows authenticated administrators to inject malicious JavaScript into the Forum Name field within the dashboard settings. The injected script is stored and executed in the browsers of all users visiting the forum, which could lead to session hijacking and data theft.

Impact

Exploitation of this vulnerability allows for persistent cross-site scripting, where injected scripts are executed in the context of the user visiting the forum.

Reproduction

To reproduce this vulnerability, log in as an administrator and navigate to the dashboard settings. In the Forum Name field, enter a JavaScript payload, such as a script tag containing JavaScript code, and save the changes. The injected script will execute in the browser of any user who visits the forum.