Cross-site Scripting (XSS) - DOM in forkcms/forkcms

Valid

Reported on

Aug 31st 2021


✍️ Description

The underlying library needs to get the charset in lowercase but fork is passing it in uppercase causing some of the XSS protections to fail

🕵️‍♂️ Proof of Concept

Go to https://demo.fork-cms.com/en/search?form=search&q_widget=%2Fen%2Fsearch%3Fform%3Dsearch%26q_widget%3D%22%3E%3Cinput%252Fonmouseover%253D%22alert%28%27jelmer%27%29%22%26submit%3Dsearch&submit=search and hover over the search box

💥 Impact

An attacker can execute JavaScript code in the website

We have contacted a member of the forkcms team and are waiting to hear back 3 months ago
Jelmer Prins confirmed that a fix has been merged on c21306 3 months ago
Jelmer Prins has been awarded the fix bounty