SB2020010617 - Multiple vulnerabilities in Codologic Codoforum
Published: January 6, 2020 Updated: February 9, 2022
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 secuirty vulnerabilities.
1) Cross-site scripting (CVE-ID: CVE-2020-5842)
The vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data when processing data passed via the username field to the index.php?u=/user/register URI. The payload is, for example, executed on the admin/index.php?page=users/manage page. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
2) Cross-site scripting (CVE-ID: CVE-2020-5843)
The vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data when processing data passed via a category to the Manage Users screen. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
3) Cross-site scripting (CVE-ID: CVE-2020-5305)
The vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data when processing data passed via a name field of a new user, i.e., on the Manage Users screen. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
4) Cross-site scripting (CVE-ID: CVE-2020-5306)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks via a post using parameters display name, title name, or content.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
Remediation
Cybersecurity Help is not aware of any official remediation provided by the vendor.
References
- https://medium.com/@prasanthc41m/cve-2020-5842-stored-xss-vulnerability-in-codoforum-4-8-3-b2e1133c6a91
- https://www.exploit-db.com/exploits/47876
- http://codologic.com/forum/index.php?u=/category/news-and-announcements
- https://vyshnavvizz.blogspot.com/2020/01/persistent-cross-site-scripting-admin.html
- https://vyshnavvizz.blogspot.com/2020/01/stored-cross-site-scripting-in_2.html
- https://vyshnavvizz.blogspot.com/2020/01/stored-cross-site-scripting-in.html