Don't fool yourself into a false sense of security. SMF v2.0.2 has many vulnerabilities.
It seems like you are referring to the same vulnerabilities referenced in this thread:
http://www.simplemachines.org/community/index.php?topic=482530.0The SMF Project Manager had this to say about it:
this is, essentially, BS...
not because it's not true... but because in order to take advantage of it, the person needs to already have access to the admin section... and if you have full access to the admin section, you already have access to ALL of the users' data and the ability to upload packages - so this "injection" complaint is really kinda silly.
Not that I really care if we update or not, because I can understand the advantages and disadvantages of both actions. But I would like to see something happen to make this forum a bit more secure.
This reads to me like they don't understand the dangers of XSS. Which is kinda worrying if that is an official response.
The advisory describes a persistent XSS flaw in the Admin section. The comment about admins already having access is completely off the mark. XSS attacks are always executed in the context of the privileged user. The validation flaw could be behind bloody Fort Knox -- it doesn' t matter in the slightest; the attack is still exactly the same as if it were in the front-end.
That forum thread is a face-palm.
If you need a reason to move away from SMF, there it is.
