Cross-site Scripting (XSS) - Reflected in forkcms/forkcms

Valid

Reported on

Aug 5th 2021


✍️ Description

The forkcms is vulnerable to XSS through the search form

🕵️‍♂️ Proof of Concept

  1. Go to http://site.com/search?form=search&q_widget=%22%3E%3Csvg/onload=alert(document.domain)%3E
  2. XSS payload will be executed

💥 Impact

An attacker can execute JavaScript code in the website

We have contacted a member of the forkcms team and are waiting to hear back 4 months ago
Jelmer Prins confirmed that a fix has been merged on 18b36b 3 months ago
Jelmer Prins has been awarded the fix bounty