# CVE-2020-8825 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8825 ## Vendor: VanillaForum ## Description: It is possible to store xss payload in index.php?p=/dashboard/settings/branding. An attacker will store the xss payload on this section and when the user will visit the page then attacker will get all the sensitive information of the user. ## Environment: Version: 2.6.3 OS: Windows 10, Linux PHP: 7 URL: index.php?p=/dashboard/settings/branding ## Proof of Concept: https://github.com/hacky1997/CVE-2020-8825/blob/master/vanilla.png ## Assigned by: [Sayak Naskar](https://github.com/hacky1997/)