cross site scripting - reflected in gnuboard/gnuboard5

Valid

Reported on

Aug 11th 2022


The reflected XSS vulnerability occurs to a flaw in the clean_xss_tags() function called in new.php of Gnuboard 5.

  1. Open the https://sir.kr/bbs/new.php?darkmode=%22%3E%3Cscript%3Ealert(document.domain)%3C/script%3E
  2. payload executing

Impact

Through this vulnerability, an attacker is capable to execute malicious scripts.

We are processing your report and will contact the gnuboard/gnuboard5 team within 24 hours. a month ago
We have contacted a member of the gnuboard/gnuboard5 team and are waiting to hear back a month ago
gnuboard
a month ago

Maintainer


Thank you for the information.

Corrected the problem.

iir00d
a month ago

Researcher


can i register CVE?

We have sent a follow up to the gnuboard/gnuboard5 team. We will try again in 7 days. a month ago
We have sent a second follow up to the gnuboard/gnuboard5 team. We will try again in 10 days. a month ago
kagla validated this vulnerability a month ago
iir00d has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
kagla confirmed that a fix has been merged on 463ca0 a month ago
kagla has been awarded the fix bounty
iir00d
a month ago

Researcher


can we assign CVE?

iir00d
a month ago

Researcher


can we assign CVE? @admin

Jamie Slome
a month ago

Admin


We can assign a CVE if the maintainer is happy to proceed with one 👍

iir00d
a month ago

Researcher


Hi bro cam we assign CVE? @maintainer

to join this conversation