Cross-site Scripting (XSS) - Reflected in forkcms/forkcms

Valid
Reported on May 11th 2021

✍️ Description

The forkcms is vulnerable to XSS through Online movies id edition.

🕵️‍♂️ Proof of Concept

  1. With an authenticated user, access http://localhost/private/en/media_library/media_item_index.
  2. Click on New media.
  3. Select Online movies (Youtube, Vimeo, ...) and click on Next.
  4. Select any Source, write anything in the Movie id and Movie title fields and click on Add movie.
  5. Click on Back to overview.
  6. Select the Movies tab and click on Edit over the movie added before.
  7. In the Movie ID field, write <img src onerror=alert()> and click on Save. An alert will pop up.

PoC video.

💥 Impact

The PoC steps do not work anymore. The characters < and > are being sanitized.