Cross-site Scripting (XSS) - DOM in forkcms/forkcms


Reported on

Aug 31st 2021

✍️ Description

The underlying library needs to get the charset in lowercase but fork is passing it in uppercase causing some of the XSS protections to fail

🕵️‍♂️ Proof of Concept

Go to and hover over the search box

💥 Impact

An attacker can execute JavaScript code in the website

We have contacted a member of the forkcms team and are waiting to hear back 3 months ago
Jelmer Prins confirmed that a fix has been merged on c21306 3 months ago
Jelmer Prins has been awarded the fix bounty