CVE-2018-15679
Description
Reflected XSS in XBTIT 2.5.4 forum search allows unauthenticated attackers to execute arbitrary JavaScript in authenticated users' browsers.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Reflected XSS in XBTIT 2.5.4 forum search allows unauthenticated attackers to execute arbitrary JavaScript in authenticated users' browsers.
Vulnerability
The search functionality at /index.php?page=forums&action=search in BTITeam XBTIT version 2.5.4 does not sanitize the keywords parameter before reflecting it in the response [1]. This allows reflected cross-site scripting (XSS). The application includes a weak anti-XSS filter in includes/crk_protection.php, but it can be bypassed using techniques such as string splitting with eval() and String.replace() to reconstruct blocked patterns like cookie [1].
Exploitation
An unauthenticated attacker can craft a malicious URL containing a JavaScript payload in the keywords parameter and deliver it to an authenticated user (for example, via a phishing link). The payload must bypass the anti-XSS filter, which is achieved by splitting blocked strings (e.g., a~lert(do~cu~me~nt~.c~oo~k~ie)) and reconstructing them with .toString().replace(/~/g, '').slice(1,-1) inside eval() [1]. No user interaction beyond clicking the link is required.
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's session on the XBTIT site [1]. The attacker can steal session cookies, perform actions on behalf of the victim, access forum data, or deface the page. The attack targets authenticated users, leading to account takeover and information disclosure.
Mitigation
As of the available references, no official patch has been released by BTITeam for XBTIT 2.5.4 [1]. The vendor appears unresponsive, and the software may be end-of-life. Administrators are advised to sanitize all user-supplied input in the keywords parameter (e.g., HTML encode output) or implement content security policy headers to reduce impact. Migrating to a maintained alternative is recommended.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2<=2.5.4+ 1 more
- (no CPE)range: <=2.5.4
- (no CPE)range: = 2.5.4
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization of the "keywords" parameter in the forum search function allows reflected cross-site scripting."
Attack vector
An attacker crafts a URL containing a malicious payload in the "keywords" parameter of `/index.php?page=forums&action=search` [ref_id=1]. The application's anti-XSS filter (crk_protection.php) blocks basic payloads containing strings like `.cookie`, but the attacker can bypass this filter by using `eval()` combined with `String.replace()` and `slice()` to reconstruct the forbidden string at runtime [ref_id=1]. When an authenticated user visits the crafted URL, the payload executes arbitrary JavaScript in their browser, allowing the attacker to steal cookies including the session cookie [ref_id=1].
Affected code
The vulnerable endpoint is `/index.php?page=forums&action=search`, where the "keywords" parameter is reflected without sanitization [ref_id=1]. The application's anti-XSS mechanism in `crk_protection.php` attempts to block certain malicious strings but can be bypassed [ref_id=1].
What the fix does
The advisory recommends updating to a version that supersedes 2.5.4 or applying the referenced patch [ref_id=1]. No patch diff is included in the bundle, so the specific code changes are not visible. The fix would need to properly sanitize or encode the "keywords" parameter before reflecting it in the page output, and ideally strengthen the anti-XSS filter to prevent the eval-based bypass technique described in the write-up [ref_id=1].
Preconditions
- authThe victim must be an authenticated user of the XBTIT application.
- networkThe attacker must be able to deliver a crafted URL to the victim (e.g., via phishing or link injection).
- inputThe 'keywords' parameter must accept and reflect user-supplied input without sanitization.
Reproduction
GET /index.php?page=forum&action=search&keywords=%22%3E%3Cimg%20src=x%20onerror=%22eval(/a~lert(do~cu~me~nt~.c~oo~k~ie)/.toString().replace(/~/g,%20%27%27).slice(1,-1))%22%3E%3C HTTP/1.1 Host: xbtit.vm User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: SMFCookie693=a%3A4%3A%7Bi%3A0%3Bi%3A1%3Bi%3A1%3Bs%3A40%3A%221250f6c7216825b4a231dc697393fc56e8921810%22%3Bi%3A2%3Bi%3A1723852786%3Bi%3A3%3Bi%3A0%3B%7D; uid=2; pass=b094c51fb1076fc241a300ba39c3de9e; xbtit=oghknpvtihirf66f94dqa8ohvf Connection: close Upgrade-Insecure-Requests: 1
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- github.com/btiteam/xbtit/pull/58mitrex_refsource_CONFIRM
- rastating.github.io/xbtit-multiple-vulnerabilities/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.