Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-35589: Cross-site Scripting (XSS) - Generic in forkcms

A cross-site scripting (XSS) issue in the Fork version 5.9.3 allows remote attackers to inject JavaScript via the “publish_on_time” Parameter.

CVE
#xss#web#ios#google#java

✍️ Description

A cross-site scripting (XSS) issue in the Fork version 5.9.3 allows remote attackers to inject JavaScript via the “publish_on_time” Parameter

🕵️‍♂️ Proof of Concept

Vulnerable Parameter: publish_on_time

XSS payload: 17:59’"()&%<yes><ScRiPt >alert(1)</ScRiPt>

Steps to reproduce issue

1- Login to Fork admin panel

2- Goto Modules=>Blog=>Edit

3- Turn on Burp Intercept

4- Click on “Publish”

5- Change value of “publish_on_time” parameter to 17:59’"()&%<yes><ScRiPt >alert(1)</ScRiPt>

6- Forward the request and XSS will be triggered

Video POC: https://drive.google.com/file/d/1LuVfabd0NRs8xKSR3vTpchB56ScgxL2a/view?usp=sharing`****💥 Impact

With the help of xss attacker can perform social engineering on users by redirecting them from real website to fake one. Attacker can steal their cookies leading to account takeover and download a malware on their system, and there are many more attacking scenarios a skilled attacker can perform with xss.

Related news

GHSA-q4qv-3x58-rxmh: ForkCMS XSS via `publish_on_time` parameter

A cross-site scripting (XSS) issue in the Fork version 5.9.3 allows remote attackers to inject JavaScript via the `publish_on_time` Parameter. This issue was patched in version 5.11.0.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907