Cross-site Scripting (XSS) - Stored in forkcms/forkcms

Valid

Reported on

Oct 25th 2021

Description

When uploading a new module, the description of the module can contain JavaScript code. After uploading the new module and looking at the Details page, the JavaScript code would be executed.

Proof of Concept

I downloaded this module

https://github.com/friends-of-forkcms/fork-cms-module-banners/archive/master.zip

, unzipped it and adjusted the description path of the file

src/Backend/Modules/Banners/info.xml

to this

<description>
    <![CDATA[
        The banners module.
        <script>alert(4);</script>
    ]]>
</description>

After adjusting the info.xml file, pack all files back to a zip file and upload it as new module. After upload, visit the Details page of this module.

Impact

Executing any JavaScript an attacker could think of. By default, it is used to steal session cookies.

We have contacted a member of the forkcms team and are waiting to hear back a year ago

We have sent a follow up to the forkcms team. We will try again in 7 days. a year ago

We have sent a second follow up to the forkcms team. We will try again in 10 days. a year ago

We have sent a third and final follow up to the forkcms team. This report is now considered stale. a year ago

Jelmer Prins validated this vulnerability a year ago

kstarkloff has been awarded the disclosure bounty

The fix bounty is now up for grabs

Jelmer Prins

commented a year ago

Maintainer

fix is currently in review

Jelmer Prins marked this as fixed in 5.11.1 with commit 981730 a year ago

Jelmer Prins has been awarded the fix bounty

This vulnerability will not receive a CVE

to join this conversation