Carbon Forum 5.9.0 – Stored XSS

• Exploit Database
• 826 阅读

• 作者： Chokri Hammedi
  日期： 2024-06-14
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/52043/

• # Exploit Title: Persistent XSS in Carbon Forum 5.9.0 (Stored)
  # Date: 06/12/2024
  # Exploit Author: Chokri Hammedi
  # Vendor Homepage: https://www.94cb.com/
  # Software Link: https://github.com/lincanbin/Carbon-Forum
  # Version: 5.9.0
  # Tested on: Windows XP
  # CVE: N/A
  
  ## Vulnerability Details
  
  A persistent (stored) XSS vulnerability was discovered in Carbon Forum
  version 5.9.0. The vulnerability allows an attacker to inject malicious
  JavaScript code into the Forum Name field under the admin settings. This
  payload is stored on the server and executed in the browser of any user who
  visits the forum, leading to potential session hijacking, data theft, and
  other malicious activities.
  
  ## Steps to Reproduce
  
  1. Login as Admin: Access the Carbon Forum with admin privileges.
  2. Navigate to Settings: Go to the '/dashboard' and select the Basic
  section.
  3. Enter Payload : Input the following payload in the Forum Name field:
  
  <script>alert('XSS');</script>
  
  4. Save Settings: Save the changes.
  5. The xss payload will triggers