Jacksonhhax

**Name of the Vulnerable Software and Affected Versions** XenForo versions 2.2.7 and earlier **Description** A threat actor with access to the admin panel can create a new Advertisement via the Advertising function and save an XSS payload in the body of the HTML document. This payload will execute globally on the client side. **Recommendations** For XenForo versions 2.2.7 and earlier, as a temporary workaround, consider disabling the Advertising function until a patch is available. Restrict access to the admin panel to minimize the risk of exploitation. Avoid using the Advertising function to save HTML documents that may contain malicious payloads until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.