CVE-2019-18636

Description

The JitBit AspNetForum <8.3.8 is vulnerable to an XSS. The XSS can only be exploited by an authenticated user, but keep in mind that by default this is a forum, so registration is usually allowed by anyone and the exploit itself is very simple. To make matters worse the application is not supported anymore https://www.jitbit.com/asp-net-forum/versionhistory/ since the last version update was on 2015, despite this I managed to spot a few public forums by doing a Google search.

Steps to reproduce

1. Authenticate on the application
2. Go to editprofile.aspx
3. Choose any of the Gravatars provided and click Ok button below the Gravatars
4. Turn intercept on in Burp and modify the Form field "DefaultAvatarInput" from Image file to:
" hidden/><script>alert('XSS')</script> <img hidden
5. I added the elements for a bit more stealth, but obviously feel free to modify this simple payload

Why did it come to be

This is a Asp .NET application, as the name suggests. The normal values like username are validated against XSS with
string username = tbUsername.Text.Replace("<", "<").Replace(">", ">");
The gravatar input is not checked for XSS.

Disclosure Timeline

Vendor contacted 9/28/2019
Received no response in 30 days
Public disclosure on 10/31/2019