Cross-site Scripting (XSS) - Stored in forkcms/forkcms

Valid

Reported on

Mar 23rd 2021


✍️ Description

A cross-site scripting (XSS) issue in the Fork version 5.9.3 allows remote attackers to inject JavaScript via the "start_date" Parameter

🕵️‍♂️ Proof of Concept

XSS payload: '"()%26%25<yes><ScRiPt%20>alert(1)</ScRiPt>

Steps to reproduce issue

1- Login to Fork admin panel

2- Goto Modules=>Formbuilder

3- Turn on Burp Intercept

4- Click on "Update Filter"

5- Change value of "start_date" parameter to 22/03/2021'"()%26%25<yes><ScRiPt%20>alert(1)</ScRiPt>

6- Forward the request and XSS will be triggered

Video POC: https://drive.google.com/file/d/12PqUfuw3RFyOcFS0HIHfTkxrpsDDtACd/view?usp=sharing

💥 Impact

With the help of xss attacker can perform social engineering on users by redirecting them from real website to fake one. Attacker can steal their cookies leading to account takeover and download a malware on their system, and there are many more attacking scenarios a skilled attacker can perform with xss.

Jelmer Prins confirmed that a fix has been merged on 76bf73 a year ago
Jelmer Prins has been awarded the fix bounty
to join this conversation