CVE-2008-4513

Vulnerability

A cross-site scripting (XSS) vulnerability exists in the BBcode API module of Phorum version 5.2.8. The flaw occurs when nested BBcode image tags are processed, allowing an attacker to inject arbitrary HTML or JavaScript. The vulnerable code path is reachable whenever a user submits content that includes BBcode image tags, such as forum posts or private messages.

Exploitation

An attacker can exploit this vulnerability by crafting a forum post or message containing specially nested BBcode image tags. No authentication is required if the forum allows unregistered users to post; otherwise, an attacker needs a valid account. The malicious content is stored on the server and executed in the browsers of users who view the affected content.

Impact

Successful exploitation allows the attacker to execute arbitrary web script or HTML in the context of the victim's browser. This can lead to session hijacking, credential theft, defacement, or redirection to malicious sites. The attack does not require any special privileges beyond the ability to post content.

Mitigation

Phorum released a fix in version 5.2.9, which addresses the vulnerability by properly sanitizing nested BBcode image tags [1][2]. Users should upgrade to Phorum 5.2.9 or later. No workarounds are documented. As of the publication date, this vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.