CVE-2023-53904

Vulnerability

Overview

CVE-2023-53904 is a stored cross-site scripting (XSS) vulnerability in XenForo 2.2.13. The root cause is improper neutralization of user input in the smilie category title parameter. When an authenticated administrator creates or edits a smilie category, the title field is not sanitized, allowing injection of arbitrary HTML and JavaScript [2][3].

Exploitation

An attacker must have an administrator account with privileges to manage smilie categories. The exploit is performed by sending a POST request to /admin.php?smilie-categories/0/save with a malicious payload in the title parameter, as demonstrated in a public exploit [2]. The injected script is stored and executed whenever the admin panel loads the smilie categories page.

Impact

Successful exploitation enables the attacker to execute arbitrary JavaScript in the context of the admin panel. This can lead to session hijacking, defacement, or further client-side attacks against other administrators [3]. The CVSS v3 base score is 4.6 (Medium), indicating a moderate severity.

Mitigation

As of the publication date, users are advised to upgrade to a patched version of XenForo beyond 2.2.13, if available. Administrators should review and restrict access to smilie category management to trusted users only.