Discovery is credited to Zinho <email@example.com>.
ASP-DEV XM Forum RC3
XM Forum is reported prone to a script injection vulnerability.
An attacker can supply arbitrary HTML and script code through the BBCode IMG tag to trigger this issue and execute arbitrary script code in a user's browser.
XM Forum RC3 is reported vulnerable. It is possible that other versions are affected as well.
An exploit is not required.
The following example is available: [IMG]javasc+ript:alert(document.cookie)[/IMG]
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: firstname.lastname@example.org <mailto:email@example.com>.