Lucene search

Sayak NaskarEDB-ID:48042

HistoryFeb 11, 2020 - 12:00 a.m.

Vanilla Forums 2.6.3 - Persistent Cross-Site Scripting

2020-02-1100:00:00

Sayak Naskar

www.exploit-db.com

123

CVSS2

3.5

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

AI Score

5.5

Confidence

High

EPSS

0.001

Percentile

46.0%

JSON

# Exploit Title: Vanilla Forums 2.6.3 - Persistent Cross-Site Scripting
# Google Dork: N/A
# Date: 2020-02-10
# Exploit Author: Sayak Naskar
# Vendor Homepage: https://vanillaforums.com/en/
# Version: 2.6.3
# Tested on: Windows, Linux
# CVE : CVE-2020-8825

A Stored xss was found in Vanillaforum 2.6.3 .

index.php?p=/dashboard/settings/branding

# Proof of Concept:

An attacker will insert a payload on branding section. So, whenever an user will open the branding section then attacker automatically get all sensitive information of the user.

CVSS2

3.5

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

AI Score

5.5

Confidence

High

EPSS

0.001

Percentile

46.0%

JSON

Related for EDB-ID:48042