CVE-2019-18839

Name of the Vulnerable Software and Affected Versions FUDForum version 3.0.9

Description The issue allows for Stored XSS via the nlogin parameter, potentially resulting in remote code execution. An attacker can use a user account to fully compromise the system by sending a POST request. When the admin visits the user information, the payload will execute, enabling the writing of PHP files to the web root and the execution of code on the remote server.

Recommendations For FUDForum version 3.0.9, consider disabling the nlogin parameter as a temporary workaround until a patch is available. Restrict access to user information pages for admins to minimize the risk of exploitation. Avoid using the nlogin parameter in affected API endpoints until the issue is resolved.