Cross-site Scripting (XSS) - Stored in forkcms/forkcms
Valid
Reported on
Oct 25th 2021
Description
When uploading a new module, the description of the module can contain JavaScript code. After uploading the new module and looking at the Details page, the JavaScript code would be executed.
Proof of Concept
- I downloaded this module
https://github.com/friends-of-forkcms/fork-cms-module-banners/archive/master.zip
, unzipped it and adjusted the description path of the file
src/Backend/Modules/Banners/info.xml
to this
<description>
<![CDATA[
The banners module.
<script>alert(4);</script>
]]>
</description>
After adjusting the info.xml file, pack all files back to a zip file and upload it as new module.
After upload, visit the Details page of this module.
Impact
Executing any JavaScript an attacker could think of. By default, it is used to steal session cookies.
We have contacted a member of the
forkcms
team and are waiting to hear back
2 years ago
We have sent a
follow up to the
forkcms
team.
We will try again in 7 days.
2 years ago
We have sent a
second
follow up to the
forkcms
team.
We will try again in 10 days.
2 years ago
We have sent a
third and final
follow up to the
forkcms
team.
This report is now considered stale.
a year ago
to join this conversation