/

Cross-site Scripting (XSS) - Stored in forkcms/forkcms

Valid

Reported on

Oct 20th 2021

Description

When uploading a new theme, the description of a theme can contain JavaScript code. This can be used for Cross-Site-Scripting.

Proof of Concept

I downloaded the Kompact theme (https://github.com/jessedobbelaere/fork-cms-theme-kompact/archive/master.zip), extracted it and changed in info.xml the description part to:

<description>
        <![CDATA[
        Kompact<script>alert(1);</script>
        ]]>
</description>

After adjusting info.xml, I packed all files back into a zip file and uploaded it in ForkCMS.
When the user opens the "Details" page of the theme, the JavaScript code (th alert) will be executed.

Impact

Executing any JavaScript an attacker could think of. By default, it is used to steal session cookies.

Occurrences

Model.php L903

We have contacted a member of the forkcms team and are waiting to hear back a year ago

Jelmer Prins validated this vulnerability a year ago

kstarkloff has been awarded the disclosure bounty

The fix bounty is now up for grabs

commented a year ago

Maintainer

fix is currently in review

Jelmer Prins marked this as fixed in 5.11.1 with commit 981730 a year ago

Jelmer Prins has been awarded the fix bounty

This vulnerability will not receive a CVE

Model.php#L903 has been validated

to join this conversation

We have contacted a member of the forkcms team and are waiting to hear back a year ago

Jelmer Prins validated this vulnerability a year ago

kstarkloff has been awarded the disclosure bounty

The fix bounty is now up for grabs

commented a year ago

Maintainer

fix is currently in review

Jelmer Prins marked this as fixed in 5.11.1 with commit 981730 a year ago

Jelmer Prins has been awarded the fix bounty

This vulnerability will not receive a CVE

Model.php#L903 has been validated

to join this conversation