BBCode URL Tag Script Injection "Shoutbox" PHP Fusion 9.0.36

[Songohan22]

Describe the bug
BBCode URL Tag Script Injection "Shoutbox Admin"
To Reproduce
Steps to reproduce the behavior:

1. Log into the panel.
2. Go to "/php-fusion/infusions/shoutbox_panel/shoutbox_admin.php"
3. Click "New Shout"
4. Insert script injection: [url]https://nvd.nist.gov?[url] onmousemove=javascript:alert(String.fromCharCode(88,83,83));//[/url][/url]
5. Click " Send Message"
6. Click "Edit" open url redirect insert script.
   
7. Logout user.
8. Access link "/php-fusion/infusions/shoutbox_panel/shoutbox_archive.php"
9. Click any "Form Sign In" open url redirect insert script.
   

Impact
An attacker can use this vulnerability to redirect users to other malicious websites, which can be used for phishing and similar attacks.

Video POC
Video POC link: https://drive.google.com/open?id=1g9x6B-K338qnzHjWtbEHCadpyPLx-daX

Desktop (please complete the following information):

• OS: Kali
• Browser: Firefox
• Version of Browser: 68.6

[RobiNN1]

lol you really don't trust your administrators 😂

[Songohan22]

@RobiNN1
It can be sent from one member.
I will record the video and send it back to you.
Very sorry if the above description is not correct.

Thank you.

[RobiNN1]

No need, issue is confirmed.

[Songohan22]

@RobiNN1,
I Hope you fix it ASAP!
Thank you.

[r0ck3t1973]

Hi @RobiNN1
also: Impact: https://jeffchannell.com/Other/bbcode-xss-howto.html