CVE-2024-58292

Vulnerability

Details

XMB Forum 1.9.12.06 suffers from a persistent cross-site scripting (XSS) vulnerability due to improper neutralization of user-supplied input in template and front page settings [1][2]. Authenticated administrators can inject arbitrary JavaScript code into the footer template or the news ticker field, which is then stored on the server and executed in the browsers of all users viewing the affected pages.

Exploitation

An attacker with admin privileges can log in, navigate to the Administration Panel, and edit the footer template under "Look & Feel" > "Templates" [1]. Alternatively, the news ticker field under "Settings" > "Front Page Options" can be used to inject payloads such as ` or ` [1]. No additional authentication or user interaction is required beyond the initial admin login; the payload executes automatically when any user visits a page that renders the footer or news ticker.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of any forum visitor's session. This can lead to session hijacking, data theft, defacement, or further malicious actions [1][2]. The vulnerability is classified as CWE-79 and has a CVSS v4 base score of 5.1 (Medium) [2].

Mitigation

The XMB project has released version 1.10.02 with Patch #2 on December 24, 2025, which addresses this vulnerability [3]. Users are strongly advised to upgrade to the latest version. No workaround is available for the affected version 1.9.12.06.