PT-2025-50746 · Xmb Forum · Xmb Forum
Chokri Hammedi
·
Published
2025-12-11
·
Updated
2025-12-12
·
CVE-2024-58292
CVSS v4.0
5.3
Medium
| Vector | AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
XMB Forum version 1.9.12.06
Description
The software contains a persistent cross-site scripting issue. Authenticated administrators can inject malicious JavaScript into templates and front page settings. Attackers can insert XSS payloads in footer templates and news ticker fields, leading to script execution for all forum users when pages are rendered. The affected API endpoints include template modification pages and front page settings. The vulnerable parameters are the content fields within these templates, such as the footer template and news ticker field.
Recommendations
Apply updates to address the issue. As a temporary workaround, restrict administrator access to template modification and front page settings. Sanitize all user-supplied input before rendering templates to prevent script injection.
Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Xmb Forum