PT-2021-23721 · Xenforo · Xenforo

Jackson Henry

Published

2021-11-03

Updated

2021-11-05

CVE-2021-43032

CVSS v3.1

4.8

Medium

Vector

AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions XenForo versions 2.2.7 and earlier

Description A threat actor with access to the admin panel can create a new Advertisement via the Advertising function and save an XSS payload in the body of the HTML document. This payload will execute globally on the client side.

Recommendations For XenForo versions 2.2.7 and earlier, as a temporary workaround, consider disabling the Advertising function until a patch is available. Restrict access to the admin panel to minimize the risk of exploitation. Avoid using the Advertising function to save HTML documents that may contain malicious payloads until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2021-43032

Affected Products

Xenforo

PT-2021-23721 · Xenforo · Xenforo

CVE-2021-43032

Weakness Enumeration

Related Identifiers

Affected Products

References · 6