{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/yafnet.core/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["YAFNET.Core"],"_cs_severities":["critical"],"_cs_tags":["xss","web-application","injection"],"_cs_type":"advisory","_cs_vendors":["YetAnotherForum.NET"],"content_html":"\u003cp\u003eYAFNET is vulnerable to a stored (second-order) cross-site scripting (XSS) vulnerability. An unauthenticated attacker can inject malicious JavaScript code into the \u003ccode\u003eUser-Agent\u003c/code\u003e header of an HTTP request. This input is then logged into the \u003ccode\u003eEventLog.Description\u003c/code\u003e column of the database whenever an error occurs on the server. The admin event log page deserializes the JSON and displays the \u003ccode\u003eUserAgent\u003c/code\u003e value without proper encoding. When an administrator views the event log page, the injected JavaScript is executed in the administrator\u0026rsquo;s browser session, potentially leading to account takeover or other malicious activities. This vulnerability affects YAFNET.Core versions 4.0.0-beta01 through 4.0.4 and versions up to 3.2.11. The vulnerability was reported on 2026-05-05 and assigned CVE-2026-43938.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker sends a malicious HTTP request to the \u003ccode\u003e/api/Attachments/GetAttachment\u003c/code\u003e endpoint with a crafted \u003ccode\u003eUser-Agent\u003c/code\u003e header containing XSS payload (e.g., \u003ccode\u003e\u0026lt;img src=x onerror=alert('XSS')\u0026gt;\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe YAFNET application encounters an error when processing the request, triggering an exception.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eYAFNET.Core/Logger/DbLogger.cs\u003c/code\u003e captures the request\u0026rsquo;s \u003ccode\u003eUser-Agent\u003c/code\u003e header.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eUser-Agent\u003c/code\u003e string is serialized into a JSON object using \u003ccode\u003eJsonConvert\u003c/code\u003e and stored in the \u003ccode\u003eEventLog.Description\u003c/code\u003e column of the \u003ccode\u003edbo.EventLog\u003c/code\u003e table in the database.\u003c/li\u003e\n\u003cli\u003eAn administrator navigates to the \u003ccode\u003e/Admin/EventLog\u003c/code\u003e page.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eYetAnotherForum.NET/Pages/Admin/EventLog.cshtml.cs\u003c/code\u003e deserializes the JSON from the \u003ccode\u003eEventLog.Description\u003c/code\u003e column.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eFormatStackTrace()\u003c/code\u003e function extracts the \u003ccode\u003eUserAgent\u003c/code\u003e value from the deserialized JSON.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eEventLog.cshtml\u003c/code\u003e Razor view uses \u003ccode\u003e@Html.Raw\u003c/code\u003e to render the \u003ccode\u003eUserAgent\u003c/code\u003e value directly into the HTML, without proper encoding, resulting in the execution of the attacker-controlled JavaScript in the administrator\u0026rsquo;s browser.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful XSS attack can allow an unauthenticated attacker to execute arbitrary JavaScript code in the context of an administrator\u0026rsquo;s session. This can lead to a complete forum takeover, including creating new administrative accounts, modifying site-wide settings, and exfiltrating user data from admin-only endpoints. Due to the unauthenticated nature of the vulnerability, it is readily exploitable at scale and may be automated.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patch or upgrade to a version of YAFNET.Core later than 4.0.4 or greater than 3.2.11 to remediate the XSS vulnerability described in CVE-2026-43938.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect YAFNET XSS in Event Log\u0026rdquo; to your SIEM to identify potential exploitation attempts targeting the \u003ccode\u003eUser-Agent\u003c/code\u003e header.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for requests to \u003ccode\u003e/api/Attachments/GetAttachment\u003c/code\u003e with suspicious \u003ccode\u003eUser-Agent\u003c/code\u003e headers.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-05T20:31:36Z","date_published":"2026-05-05T20:31:36Z","id":"/briefs/2024-01-02-yafnet-xss/","summary":"YAFNET is vulnerable to an unauthenticated stored second-order XSS vulnerability in the admin event log, triggered by a reflected `User-Agent` header, allowing an attacker to execute arbitrary JavaScript in an administrator's session.","title":"YAFNET Unauthenticated Stored XSS via User-Agent Header","url":"https://feed.craftedsignal.io/briefs/2024-01-02-yafnet-xss/"}],"language":"en","title":"CraftedSignal Threat Feed — YAFNET.Core","version":"https://jsonfeed.org/version/1.1"}