YetAnotherForum.NET Stored Cross-Site Scripting Vulnerability Allowing Arbitrary JavaScript Execution

A stored cross-site scripting vulnerability has been identified in YetAnotherForum.NET (YAF.NET) versions prior to 4.0.5 and 3.2.12. The issue arises in the thread posting and reply feature, which accepts user-generated content that is saved on the server and later displayed on the thread page without proper HTML sanitization or contextual output encoding. This flaw allows injected JavaScript to execute in the browsers of all users viewing the affected thread, including moderators and administrators.

Impact

Exploitation of this vulnerability allows an attacker to execute arbitrary JavaScript in the browsers of all users who load the affected thread. This could lead to session or authentication cookie theft, account takeover, forced actions if an administrator views the thread, credential phishing, forum defacement, or the delivery of malware or cryptominers.

Reproduction

To reproduce this vulnerability, log in to the forum as a user with permission to post or reply. Navigate to a thread where posting is allowed, or create a new thread. In the post or reply body, insert a payload that breaks out of the HTML context, such as an image tag with an 'onerror' event. Once the post or reply is published, the injected JavaScript will execute automatically for any user who views the thread.

Remediation

Users can upgrade to YetAnotherForum.NET versions 4.0.5 or 3.2.12 to address this vulnerability.