| Title | YAFNET XSS in EditSignature Page |
|---|
| Description | This weakness has been reported to the author via the following URL : https://github.com/YAFNET/YAFNET/security/advisories
affected source code file : https://github.com/YAFNET/YAFNET/blob/netfx/yafsrc/YetAnotherForum.NET/Pages/Profile/EditSignature.ascx.cs (on web page : http://your-ip.com/forum/Profile/EditSignature)
Affected version: YAFNET 3.1.11
A cross-site scripting vulnerability exists. The vulnerability allows a user to embed arbitrary JavaScript code in the message field of the "Edit Signature" page and post a code with an XSS payload entered.
The signature is displayed underneath posts that the user has previously published, which can affect any user when accessing certain pages, including those who are not logged in.
It can potentially lead to credential disclosure in trusted sessions. |
|---|
| Source | ⚠️ https://drive.google.com/drive/folders/1iJuhjLQy3QPIgKKgWUzEEfr_q0boaR00?usp=sharing |
|---|
| User | lin7lic (UID 39301) |
|---|
| Submission | 01/28/2023 16:59 (3 years ago) |
|---|
| Moderation | 02/02/2023 14:38 (5 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 220037 [YAFNET up to 3.1.11 Signature cross site scripting] |
|---|
| Points | 20 |
|---|