{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2024-58344", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-04-21T15:00:11.849Z", "datePublished": "2026-04-22T14:57:06.069Z", "dateUpdated": "2026-04-22T14:57:06.069Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-04-22T14:57:06.069Z"}, "datePublic": "2024-06-12T00:00:00.000Z", "title": "Carbon Forum 5.9.0 Persistent XSS via Forum Name Field", "descriptions": [{"lang": "en", "value": "Carbon Forum 5.9.0 contains a persistent cross-site scripting vulnerability that allows authenticated administrators to inject malicious JavaScript code through the Forum Name field in dashboard settings. Attackers with admin privileges can store JavaScript payloads in the Forum Name field that execute in the browsers of all users visiting the forum, enabling session hijacking and data theft."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "affected": [{"vendor": "94Cb", "product": "Carbon Forum", "versions": [{"version": "5.9.0", "status": "affected"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 5.1, "baseSeverity": "MEDIUM", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS"}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "format": "CVSS"}], "references": [{"url": "https://www.exploit-db.com/exploits/52043", "name": "ExploitDB-52043", "tags": ["exploit"]}, {"url": "https://www.94cb.com/", "name": "Official Product Homepage", "tags": ["product"]}, {"url": "https://github.com/lincanbin/Carbon-Forum", "name": "Product Reference", "tags": ["product"]}, {"name": "VulnCheck Advisory: Carbon Forum 5.9.0 Persistent XSS via Forum Name Field", "tags": ["third-party-advisory"], "url": "https://www.vulncheck.com/advisories/carbon-forum-persistent-xss-via-forum-name-field"}], "credits": [{"lang": "en", "value": "Chokri Hammedi", "type": "finder"}], "x_generator": {"engine": "vulncheck"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Carbon Forum 5.9.0 contains a persistent cross-site scripting vulnerability that allows authenticated administrators to inject malicious JavaScript code through the Forum Name field in dashboard settings. Attackers with admin privileges can store JavaScript payloads in the Forum Name field that execute in the browsers of all users visiting the forum, enabling session hijacking and data theft."}], "id": "CVE-2024-58344", "lastModified": "2026-04-22T21:22:35.387", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "disclosure@vulncheck.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.1, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-04-22T16:16:48.363", "references": [{"source": "disclosure@vulncheck.com", "url": "https://github.com/lincanbin/Carbon-Forum"}, {"source": "disclosure@vulncheck.com", "url": "https://www.94cb.com/"}, {"source": "disclosure@vulncheck.com", "url": "https://www.exploit-db.com/exploits/52043"}, {"source": "disclosure@vulncheck.com", "url": "https://www.vulncheck.com/advisories/carbon-forum-persistent-xss-via-forum-name-field"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "disclosure@vulncheck.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T18:26:00.562520+00:00", "value": {"mitigation_remediation": ["Update Carbon Forum to the latest release that includes the XSS fix.", "If an immediate upgrade is not possible, restrict the Forum Name field to text only by sanitizing input and escaping output; consider temporarily disabling the ability to edit the Forum Name for non\u2011trusted staff.", "Enforce strict access controls and audit logs for all administrator actions to detect suspicious changes to the Forum Name field.", "Ensure that all administrators use strong, unique credentials and enable multi\u2011factor authentication to reduce the chance of credential compromise."], "summary": {"action": "Apply Patch", "impact": "Persistent Cross\u2011Site Scripting (XSS) that can hijack sessions and steal data"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Carbon Forum 5.9.0 release from the 94Cb vendor. No other versions are listed in the current data. Users running this exact version are directly impacted.", "description_and_impact": "Carbon Forum 5.9.0 has a persistent cross\u2011site scripting flaw that permits authenticated administrators to insert arbitrary JavaScript into the Forum Name field of the dashboard settings. The stored script runs in every visitor\u2019s browser when they view the forum, allowing an attacker to hijack user sessions and exfiltrate sensitive information. The weakness stems from unvalidated input and improper output encoding (CWE\u201179).", "risk_and_exploitability": "With a CVSS score of 5.1, the vulnerability is classified as Medium severity. An exploit requires that the attacker already have administrative access to the forum; it cannot be triggered by unauthenticated users. Because the EPSS score is not available and the issue is not in CISA\u2019s KEV catalog, the likelihood of widespread exploitation is uncertain, but privileged accounts are at risk if they are compromised or if attacker accounts are mistakenly granted admin rights."}}}}, "created": "2026-04-22T18:30:23.753879+00:00", "updated": "2026-04-22T18:30:23.753889+00:00", "vendors": []}