Cross-site Scripting (XSS) - DOM in forkcms/forkcms


Reported on

Aug 31st 2021

✍️ Description

The underlying library needs to get the charset in lowercase but fork is passing it in uppercase causing some of the XSS protections to fail

🕵️‍♂️ Proof of Concept

Go to and hover over the search box

💥 Impact

An attacker can execute JavaScript code in the website


We have contacted a member of the forkcms team and are waiting to hear back 2 years ago
Jelmer Prins marked this as fixed with commit c21306 2 years ago
Jelmer Prins has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation