[转载]WoltLab Burning Board 2.3.1及以下版本跨站脚本漏洞

  文章作者：deluxe[@]security-project.org

Vendor: WoltLab
URL: http://www.woltlab.de/
Version: <= 2.3.1
Type: XSS

Discovered by deluxe89
Contact: deluxe[@]security-project.org

Description:
--------------------------------
The WoltLab Burning Board is a high customisable forum software for every kind of use.

See [1] for a detailed description.

Cross Site Scripting:
--------------------------------
It&#39;s possible to inject HTML or JavaScript code into the variable "hilight" of thread.php.

http://www.it-security23.net/thr ... d=1683&hilight=[XSS]

Solution:
--------------------------------
There isn&#39;t a solution yet.

Security-Project
--------------------------------
http://www.security-project.org

Vendor contacted.
Greetz to Astovidatu, DooMRunneR, Wacholdernutte and Doc

[1] http://www.woltlab.de/products/burning_board/index_en.php