Lucene search

GitHub Advisory DatabaseGHSA-QF2G-Q4MC-W7RR

HistoryMar 25, 2022 - 12:00 a.m.

Cross-site Scripting in Fork CMS

2022-03-2500:00:34

CWE-79

GitHub Advisory Database

github.com

fork cms

cross-site scripting

vulnerability

javascript

module upload

CVSS2

3.5

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

21.4%

JSON

Fork CMS prior to 5.11.1 is vulnerable to stored cross-site scripting. When uploading a new module, the description of the module can contain JavaScript code. The JavaScript code may be executed after uploading the new module and looking at the Details page.

Affected configurations

Vulners

Node

forkcmsforkcmsRange<5.11.1

VendorProductVersionCPE
forkcmsforkcms*cpe:2.3:a:forkcms:forkcms:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
forkcms	forkcms	*	cpe:2.3:a:forkcms:forkcms::::::::

References

github.com/advisories/GHSA-qf2g-q4mc-w7rr

github.com/forkcms/forkcms/commit/981730f1a3d59b423ca903b1f4bf79b848a1766e

huntr.dev/bounties/b5b8c680-3cd9-4477-bcd9-3a29657ba7ba

nvd.nist.gov/vuln/detail/CVE-2022-0145

CVSS2

3.5

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

21.4%

JSON

Related for GHSA-QF2G-Q4MC-W7RR