CyberSec.Space Logo
返回 CVE 浏览器

CVE-2018-13000

MEDIUM
4.8
CVSS Severity Score
EPSS Score0.0280%
EPSS Percentile35.27th
Published2018年6月29日
Last Modified2024年11月21日

Vulnerability Description

An XSS issue was discovered in Advanced Electron Forum (AEF) v1.0.9. A persistent XSS vulnerability is located in the `FTP Link` element of the `Private Message` module. The editor of the private message module allows inserting links without sanitizing the content. This allows remote attackers to inject malicious script code payloads as a private message (aka pmbody). The injection point is the editor ftp link element and the execution point occurs in the message body context on arrival. The request method to inject is POST with restricted user privileges.

Affected Platforms (CPE)

📦
Anelectron

Advanced Electron Forum

= 1.0.9

References & Advisories

🔗 https://www.vulnerability-lab.com/get_content.php?id=2123
🔗 https://www.vulnerability-lab.com/get_content.php?id=2123

相关漏洞威胁

CVE-2008-509010.0

Electron Inc. Advanced Electron Forum before 1.0.7 allows remote attackers to execute arbitrary PHP code via PHP code embedded in ...

CVE-2011-35828.8

A Cross-site Request Forgery (CSRF) vulnerability exists in Advanced Electron Forums (AEF) through 1.0.9 due to inadequate confirm...

CVE-2009-25456.8

SQL injection vulnerability in Advanced Electron Forum (AEF) 1.x, when magic_quotes_gpc is disabled, allows remote attackers to ex...

CVE-2011-37005.0

Advanced Electron Forum (AEF) 1.0.8 allows remote attackers to obtain sensitive information via a direct request to a .php file, w...