CVE-2019-18873

Name of the Vulnerable Software and Affected Versions FUDForum version 3.0.9

Description The issue allows for Stored XSS via the User-Agent HTTP header, potentially resulting in remote code execution. An attacker can compromise the system by using a user account and sending a GET request. When an admin views user information under "User Manager" in the control panel, the malicious payload will execute, enabling the writing of PHP files to the web root and execution of code on the remote server. The problem is located in the admsession.php and admuser.php files.

Recommendations For FUDForum version 3.0.9, consider disabling the User-Agent HTTP header processing in admsession.php and admuser.php as a temporary workaround until a patch is available. Restrict access to the "User Manager" section in the control panel to minimize the risk of exploitation. Avoid using the User-Agent header in GET requests to the affected system until the issue is resolved.