Vanilla Forums 2.6.3 - Persistent Cross-Site Scripting

Author: Sayak Naskar
type: webapps
platform: php
port: 
date_added: 2020-02-11  
date_updated: 2020-02-11  
verified: 0  
codes: CVE-2020-8825  
tags:   
aliases:   
screenshot_url:   
application_url:   

raw file: 48042.txt  

# Exploit Title: Vanilla Forums 2.6.3 - Persistent Cross-Site Scripting
# Google Dork: N/A
# Date: 2020-02-10
# Exploit Author: Sayak Naskar
# Vendor Homepage: https://vanillaforums.com/en/
# Version: 2.6.3
# Tested on: Windows, Linux
# CVE : CVE-2020-8825

A Stored xss was found in Vanillaforum 2.6.3 .

index.php?p=/dashboard/settings/branding

# Proof of Concept:

An attacker will insert a payload on branding section. So, whenever an user will open the branding section then attacker automatically get all sensitive information of the user.