MyLittleForum 2.3.5 Cross Site Scripting

MyLittleForum 2.3.5 Cross Site Scripting

MyLittleForum 2.3.5 - Multiple Reflected XSS
Advisory MyLittleForum 2.3.5 Cross Site Scripting

MyLittleForum 2.3.5 - Multiple Reflected XSS
Advisory ID: RO-17-001
Severity: Medium
Vendor: ilosuna
Product: MyLittleForum
Version: 2.3.5


Overview #

Multiple Reflected Cross-site Scripting (XSS) vulnerabilities exist in MyLittleForum version 2.3.5. The vulnerabilities allow remote attackers to inject arbitrary web script or HTML.


Vulnerability Details #

Affected Versions: 2.3.5 and earlier

Root Cause: Insufficient input validation and output encoding on multiple parameters allows XSS attacks.


Exploitation Requirements #

No authentication required
Victim must visit crafted URLs

Impact #

Remote attackers can exploit these vulnerabilities to:

Steal forum user session cookies
Perform actions on behalf of users
Post malicious content

Proof of Concept #

Details available upon request.


Solution #

Upgrade to a patched version of MyLittleForum that includes proper input sanitization.


References #

Invicti Advisory NS-17-002

Timeline:

[2017-01-01] - Discovered

Credits: Omar Kurt