CyberSec.Space Logo
Back to CVE Browser

CVE-2018-13000

MEDIUM
4.8
CVSS Severity Score
EPSS Score0.0280%
EPSS Percentile35.27th
PublishedJun 29, 2018
Last ModifiedNov 21, 2024

Vulnerability Description

An XSS issue was discovered in Advanced Electron Forum (AEF) v1.0.9. A persistent XSS vulnerability is located in the `FTP Link` element of the `Private Message` module. The editor of the private message module allows inserting links without sanitizing the content. This allows remote attackers to inject malicious script code payloads as a private message (aka pmbody). The injection point is the editor ftp link element and the execution point occurs in the message body context on arrival. The request method to inject is POST with restricted user privileges.

Affected Platforms (CPE)

📦
Anelectron

Advanced Electron Forum

= 1.0.9

References & Advisories

🔗 https://www.vulnerability-lab.com/get_content.php?id=2123
🔗 https://www.vulnerability-lab.com/get_content.php?id=2123

Related Vulnerabilities

CVE-2008-509010.0

Electron Inc. Advanced Electron Forum before 1.0.7 allows remote attackers to execute arbitrary PHP code via PHP code embedded in ...

CVE-2011-35828.8

A Cross-site Request Forgery (CSRF) vulnerability exists in Advanced Electron Forums (AEF) through 1.0.9 due to inadequate confirm...

CVE-2009-25456.8

SQL injection vulnerability in Advanced Electron Forum (AEF) 1.x, when magic_quotes_gpc is disabled, allows remote attackers to ex...

CVE-2011-37005.0

Advanced Electron Forum (AEF) 1.0.8 allows remote attackers to obtain sensitive information via a direct request to a .php file, w...