CVE-2020-7050

Name of the Vulnerable Software and Affected Versions Codologic Codoforum versions 4.8.4 and earlier

Description The issue allows for a DOM-based XSS attack. When creating a new topic, a user can add a poll that is automatically loaded into the DOM when the thread or topic is opened. Since session cookies lack the HttpOnly flag, an attacker can steal authentication cookies, potentially leading to account takeovers.

Recommendations For Codologic Codoforum versions 4.8.4 and earlier, as a temporary workaround, consider disabling the poll feature until a patch is available. Restrict access to sensitive areas of the application to minimize the risk of exploitation. Avoid using session cookies without the HttpOnly flag until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.