Cross-site Scripting (XSS) - Stored in forkcms/forkcms

Valid

Reported on

Oct 25th 2021


Description

When uploading a new module, the description of the module can contain JavaScript code. After uploading the new module and looking at the Details page, the JavaScript code would be executed.

Proof of Concept

  • I downloaded this module
https://github.com/friends-of-forkcms/fork-cms-module-banners/archive/master.zip

, unzipped it and adjusted the description path of the file

src/Backend/Modules/Banners/info.xml

to this

<description>
    <![CDATA[
        The banners module.
        <script>alert(4);</script>
    ]]>
</description>

After adjusting the info.xml file, pack all files back to a zip file and upload it as new module. After upload, visit the Details page of this module.

Impact

Executing any JavaScript an attacker could think of. By default, it is used to steal session cookies.

We have contacted a member of the forkcms team and are waiting to hear back 7 months ago
We have sent a follow up to the forkcms team. We will try again in 7 days. 7 months ago
We have sent a second follow up to the forkcms team. We will try again in 10 days. 7 months ago
We have sent a third and final follow up to the forkcms team. This report is now considered stale. 6 months ago
Jelmer Prins validated this vulnerability 5 months ago
starkitsec has been awarded the disclosure bounty
The fix bounty is now up for grabs
Jelmer Prins
2 months ago

fix is currently in review

Jelmer Prins confirmed that a fix has been merged on 981730 2 months ago
Jelmer Prins has been awarded the fix bounty
to join this conversation