Description
In XenForo through 2.2.7, a threat actor with access to the admin panel can create a new Advertisement via the Advertising function, and save an XSS payload in the body of the HTML document. This payload will execute globally on the client side.
Exploits (1)
References (2)
Core 2
Core References
Release Notes, Vendor Advisory x_refsource_misc
https://xenforo.com/community/forums/announcements/
Exploit, Third Party Advisory x_refsource_misc
https://github.com/SakuraSamuraii/CVE-2021-43032
Scores
CVSS v3
4.8
EPSS
0.0124
EPSS Percentile
79.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-79
Status
published
Products (1)
xenforo/xenforo
< 2.2.7
Published
Nov 03, 2021
Tracked Since
Feb 18, 2026