vulnerability xss in spoon form types hidden, date and time
severity 7.7
language php
registry packagist

✍️ Description

Please enter a description of the vulnerability.

Submitted values weren't escaped in case of date, time or hidden fields. This made it possible to perform an XSS attack by URL tampering

🕵️‍♂️ Proof of Concept

Find a Spoon Form where there is a date, time or hidden field and pass based on the form method a value like: 22/03/2021'"()%26%25<yes><ScRiPt%20>alert(1)</ScRiPt> The value won't be escaped and the popup will be shown. Specific proof of concept can be seen in the disclosure on a project that uses the library: https://www.huntr.dev/bounties/4-other-forkcms/

💥 Impact

With the help of xss attacker can perform social engineering on users by redirecting them from real website to fake one. Attacker can steal their cookies leading to account takeover and download a malware on their system, and there are many more attacking scenarios a skilled attacker can perform with xss.