Skip to main content

Xenforo CVE-2021-43032

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2021-11-03 cve@mitre.org
4.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.8 MEDIUM
AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
CVE Published
Nov 03, 2021 - 20:15 nvd
MEDIUM 4.8

DescriptionNVD

In XenForo through 2.2.7, a threat actor with access to the admin panel can create a new Advertisement via the Advertising function, and save an XSS payload in the body of the HTML document. This payload will execute globally on the client side.

AnalysisAI

In XenForo through 2.2.7, a threat actor with access to the admin panel can create a new Advertisement via the Advertising function, and save an XSS payload in the body of the HTML document. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Technical ContextAI

This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. In XenForo through 2.2.7, a threat actor with access to the admin panel can create a new Advertisement via the Advertising function, and save an XSS payload in the body of the HTML document. This payload will execute globally on the client side. Affected products include: Xenforo. Version information: through 2.2.7.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.

CVE-2024-38458 HIGH POC
8.8 Jun 16

Xenforo before 2.2.16 allows code injection. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable,

CVE-2024-38457 HIGH POC
8.8 Jun 16

Xenforo before 2.2.16 allows CSRF. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authen

CVE-2025-71279 CRITICAL
9.3 Apr 01

Authentication bypass in XenForo versions prior to 2.3.7 compromises passkey-based authentication, allowing remote unaut

CVE-2025-71281 HIGH
8.7 Apr 01

Remote code execution in XenForo versions before 2.3.7 allows authenticated users to invoke unauthorized methods through

CVE-2025-71278 HIGH
8.7 Apr 01

OAuth2 scope enforcement vulnerability in XenForo 2.3.x (prior to 2.3.5) allows authenticated client applications to req

CVE-2025-71282 HIGH
8.7 Apr 01

XenForo forum software versions prior to 2.3.7 disclose server filesystem paths through exception messages triggered by

CVE-2026-35056 HIGH
8.6 Apr 01

Remote code execution in XenForo versions prior to 2.3.9 and 2.2.18 allows authenticated administrators to execute arbit

CVE-2024-25006 HIGH
8.1 Feb 29

XenForo before 2.2.14 allows Directory Traversal (with write access) by an authenticated user who has permissions to adm

CVE-2025-71280 MEDIUM
6.9 Apr 01

XenForo before version 2.3.7 exposes sensitive user account information through improper browser caching of account page

CVE-2026-35057 MEDIUM
5.1 Apr 01

Stored cross-site scripting (XSS) in XenForo before 2.3.10 and 2.2.19 allows authenticated attackers to inject malicious

CVE-2026-35055 MEDIUM
5.1 Apr 01

Cross-site scripting (XSS) in XenForo lightbox functionality allows unauthenticated remote attackers to inject malicious

CVE-2026-35054 MEDIUM
5.1 Apr 01

Stored cross-site scripting in XenForo before version 2.3.9 allows authenticated users to inject malicious scripts throu

Share

CVE-2021-43032 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy