SimpleMachines SMF Reflected Cross-Site Scripting Vulnerability in ManageNews.php

A reflected cross-site scripting vulnerability has been identified in SimpleMachines Forum (SMF) version 2.1.4. The issue resides in the 'subject' parameter of the 'ManageNews.php' file, where improper handling of input allows for the injection of malicious scripts. This vulnerability can be exploited remotely, potentially affecting users who view the injected content.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where an attacker can inject malicious scripts that are executed in the context of the user's browser.

Reproduction

To reproduce this vulnerability, set the 'subject' parameter to a script payload, such as a JavaScript alert script. Then, send a POST request to the 'index.php' file with the 'action' parameter set to 'admin', 'area' set to 'news', and 'sa' set to 'mailingsend'. Include the script payload in the 'subject' parameter, along with a message parameter that can also contain a script payload. After sending the request, the injected script will be executed, demonstrating the cross-site scripting vulnerability.