Cross-site Scripting (XSS) - Stored in forkcms/forkcms

Valid

Reported on

Oct 20th 2021


Description

When uploading a new theme, the description of a theme can contain JavaScript code. This can be used for Cross-Site-Scripting.

Proof of Concept

  • I downloaded the Kompact theme (https://github.com/jessedobbelaere/fork-cms-theme-kompact/archive/master.zip), extracted it and changed in info.xml the description part to:
<description>
        <![CDATA[
        Kompact<script>alert(1);</script>
        ]]>
</description>
  • After adjusting info.xml, I packed all files back into a zip file and uploaded it in ForkCMS.

  • When the user opens the "Details" page of the theme, the JavaScript code (th alert) will be executed.

Impact

  • Executing any JavaScript an attacker could think of. By default, it is used to steal session cookies.

Occurrences

We have contacted a member of the forkcms team and are waiting to hear back 7 months ago
Jelmer Prins validated this vulnerability 7 months ago
starkitsec has been awarded the disclosure bounty
The fix bounty is now up for grabs
Jelmer Prins
2 months ago

fix is currently in review

Jelmer Prins confirmed that a fix has been merged on 981730 2 months ago
Jelmer Prins has been awarded the fix bounty
Model.php#L903 has been validated
to join this conversation