Vanilla Forum 2.6.3 CVE-2020-8825 – Cross Site Scripting

February 13, 2020   |   by Zeroday
# CVE-2020-8825
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8825
    
## Vendor:
    VanillaForum 

## Description:   
    It is possible to store xss payload in index.php?p=/dashboard/settings/branding. An attacker will store the xss payload on this section and when the user will visit the page then attacker will get all the sensitive information of the user.

## Environment:

    Version: 2.6.3
    OS: Windows 10, Linux
    PHP: 7
    URL: index.php?p=/dashboard/settings/branding
    
## Proof of Concept:
    https://github.com/hacky1997/CVE-2020-8825/blob/master/vanilla.png

## Assigned by:
  [Sayak Naskar](https://github.com/hacky1997/)

Leave Your Comment

five × 4 =