Not a bug STORED XSS IN BBCODE

[sci_hacker]

Affected version

Firefox

Hi, XENFORO SECURITY TEAM

I'm ANTO

Vulnerability
Stored xss in (https://74bd69fab50fdc98.demo-xenforo.com/2110p2/admin.php?bb-codes).

STEPS TO REPRODUCE

1. Go to (https://74bd69fab50fdc98.demo-xenforo.com/2110p2/admin.php?bb-codes).
2. Go to the add bb code and paste this payload in title "><img src=x onerror=alert(document.domain)>
3. and save.
4. Then see the response in the browser and the popup will appear.

NOTE: I also attached a video POC

Impact​

With the help of XSS, a hacker or attacker can perform social engineering on users by redirecting them from real websites to fake ones. The hacker can steal their cookies and download malware on their system, and there are many more attacking scenarios a skilled attacker can perform with XSS.

Regards,
Anto

 

[Chris D]

Thanks for your report.

This is not something we would consider to be a valid security vulnerability because it requires the attacker to already have privileged access to the software as an administrator.

There are many places an admin user can use HTML, potentially to the same effect.

Note: Security vulnerabilities should be reported responsibly, and not in a public forum. Please Contact us in future if you suspect a security issue.

 

[RisteDimitrievski]

As Chris said this can not be High security priority vulnerability because the attacker should be given admin permission.
As administrator you can use html in more modules..

Don't give admin everybody and if you're giving admin to someone untrusted, better update his admin permission and make sure he can not use those modules which have html tags on.