CVE-2018-13000

Name of the Vulnerable Software and Affected Versions Advanced Electron Forum version 1.0.9

Description A persistent XSS issue is located in the FTP Link element of the Private Message module. The editor of the private message module allows inserting links without sanitizing the content, enabling remote attackers to inject malicious script code payloads as a private message. The injection point is the editor FTP Link element and the execution point occurs in the message body context on arrival. The request method to inject is POST with restricted user privileges.

Recommendations For Advanced Electron Forum version 1.0.9, consider disabling the FTP Link element in the Private Message module until a patch is available to prevent the injection of malicious script code payloads. Restrict access to the private message module to minimize the risk of exploitation. Avoid using the FTP Link element in the private message editor until the issue is resolved.