For every bounty won throughout May 2021, huntr will donate half towards Indian COVID relief.
forkcms is vulnerable to XSS through search request. It is possible to set the HTTP referer header to
Execute the following command (localhost):
With an authenticated user, access
PoC image: https://i.imgur.com/EIMofDE.png
The attackers can execute arbitrary JS code.