Persistent Cross-site Scripting - Admin Category Section

                            Codoforumv4.8.3 Admin Dashboard XSS



While I was searching for a free forum software for our community I found Codoforum. After installing it We tried a few simple XSS payloads to ensure the security and suddenly got surprised with finding of multiple critical cross site scripting vulnerability which affects admin users.

Affected component : Admin-Category Section

Attack vector

Codoforum 4.8.3 allows XSS in the admin dashboard via a category to the Manage Users screen.
XSS triggers each time when we refresh the pages too, xss mainly found in the administrative dashboard of latest codoforum v4.8.3
There is an Reflected and stored cross site scripting vulnerability in the codoforum latest version 4.8.3 where, admin panel is fully affected with Stored as well as reflected cross site scripting The Vulnerability found here is at admin panel category section, each time when the admin refresh the specific page or click on the category section the XSS triggers

Reproduction steps:

1. Download and Install Codoforum 4.8.3 in a local server.
2 Go to the administrative-dashboard section >> Navigate to Category Tab

3 Append the input boxes with XSS Payload
4. We can see an XSS pop up if we click on Save button

Comments