Vanilla Forums 2.1.1 Cross Site Scripting
The vulnerability is related to the insufficient filtration in HTMLawed. Existing filter can be bypassed and paste into the HTML tag onerror event, that leads to stored XSS. I notified the developers of existing vulnerabilities and they closed it in version 2.1.1 proof:...