Cross-site Scripting (XSS) - Reflected in forkcms/forkcms

Valid

Reported on

Aug 5th 2021

✍️ Description

The forkcms is vulnerable to XSS through settings translation

🕵️‍♂️ Proof of Concept

  1. Go to https://demo.fork-cms.com/private/en/locale
  2. In search box named "Reference code" input "><svg/onload=alert(document.domain)>
  3. XSS payload will be executed

💥 Impact

An attacker can execute JavaScript code in the website

Occurrences

We have contacted a member of the forkcms team and are waiting to hear back 2 years ago
Jelmer Prins marked this as fixed with commit 18b36b 2 years ago
Jelmer Prins has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation