CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2020-9007
https://notcve.org/view.php?id=CVE-2020-9007
Codoforum 4.8.8 allows self-XSS via the title of a new topic. Codoforum versión 4.8.8, permite un ataque de tipo XSS propio, por medio del título de un nuevo tema. • https://github.com/matuhn/Research/blob/master/codoforum/readme.md • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2020-7050
https://notcve.org/view.php?id=CVE-2020-7050
Codologic Codoforum through 4.8.4 allows a DOM-based XSS. While creating a new topic as a normal user, it is possible to add a poll that is automatically loaded in the DOM once the thread/topic is opened. Because session cookies lack the HttpOnly flag, it is possible to steal authentication cookies and take over accounts. Codologic Codoforum versiones hasta 4.8.4, permite un ataque de tipo XSS basado en DOM. Mediante la creación de un nuevo tema como un usuario normal, es posible agregar una encuesta que se carga automáticamente en el DOM una vez que thread/topic es abierto. • https://codologic.com/forum/index.php?u=/topic/12638/codoforum-4-8-8-released-and-the-future#post-23845 https://www.linkedin.com/posts/polina-voronina-896819b5_discovered-by-polina-voronina-jan-15-activity-6634436086540054528-dDgg • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2020-7051
https://notcve.org/view.php?id=CVE-2020-7051
Codologic Codoforum through 4.8.4 allows stored XSS in the login area. This is relevant in conjunction with CVE-2020-5842 because session cookies lack the HttpOnly flag. The impact is account takeover. Codologic Codoforum hasta la versión 4.8.4 permite XSS almacenado en el área de inicio de sesión. Esto es relevante en conjunción con CVE-2020-5842 porque las cookies de sesión carecen del indicador HttpOnly. • https://codologic.com/forum/index.php?u=/topic/12638/codoforum-4-8-8-released-and-the-future#post-23845 https://www.linkedin.com/posts/polina-voronina-896819b5_discovered-by-polina-voronina-jan-15-activity-6634436086540054528-dDgg • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2020-5842
https://notcve.org/view.php?id=CVE-2020-5842
Codoforum 4.8.3 allows XSS in the user registration page: via the username field to the index.php?u=/user/register URI. The payload is, for example, executed on the admin/index.php?page=users/manage page. Codoforum versión 4.8.3, permite un ataque de tipo XSS en la página de registro de usuario: por medio del campo username en el URI index.php? • https://medium.com/%40prasanthc41m/cve-2020-5842-stored-xss-vulnerability-in-codoforum-4-8-3-b2e1133c6a91 https://www.exploit-db.com/exploits/47876 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2020-5843
https://notcve.org/view.php?id=CVE-2020-5843
Codoforum 4.8.3 allows XSS in the admin dashboard via a category to the Manage Users screen. Codoforum versión 4.8.3, permite un ataque de tipo XSS en el panel de administración por medio de una categoría en la pantalla Manage Users. • http://codologic.com/forum/index.php?u=/category/news-and-announcements https://vyshnavvizz.blogspot.com/2020/01/persistent-cross-site-scripting-admin.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •