25 matches found
CVE-2022-0153
Fork CMS contains a SQL injection vulnerability in versions prior to 5.11.1. The issue occurs when deleting submissions that belong to a form created with the FormBuilder module, where the id[] parameter is vulnerable to SQL injection. The CVE-2022-0153 entry is corroborated by multiple sources (...
CVE-2022-1064
Fork CMS (forkcms/forkcms) is affected by SQL injection in versions prior to 5.11.1, via the ids parameter in blog comments where bulk marking as spam enables injection. The root cause is lack of validation of externally entered SQL statements in that parameter. Consequences stated include potent...
CVE-2014-9470
Fork CMS prior to 3.8.4 is affected by a cross-site scripting (XSS) vulnerability in the loadForm() function (Frontend/Modules/Search/Actions/Index.php) where the q_widget parameter to /en/search can inject arbitrary script/HTML. The issue arises from insufficient input filtering and is exploitab...
CVE-2022-0145
Fork CMS (forkcms/forkcms) prior to version 5.11.1 is affected by a stored XSS vulnerability. The flaw allows an attacker to inject and have JavaScript execute when a new module is uploaded, via the module description field, with exploitation tied to viewing the Details page after upload. Impact ...
CVE-2022-35590
ForkCMS 5.9.3 contains a cross-site scripting (XSS) vulnerability that allows remote attackers to inject JavaScript via the end_date parameter due to insufficient input sanitization. This affects ForkCMS and is documented across multiple sources (including Red Hat and Veracode references). The is...
CVE-2022-35585
ForkCMS 5.9.3 is affected by a stored XSS via the start_date parameter. The vulnerability allows remote attackers to inject JavaScript, with exploit noted as requiring user interaction and a network-focused attack surface. A fix is available in ForkCMS 5.11.0, per multiple connected sources (e.g....
CVE-2022-35587
Summary: ForkCMS 5.9.3 is affected by a cross-site scripting (XSS) flaw that allows remote injection of JavaScript via the publish_on_date parameter. The issue is described across multiple sources and is attributed to the handling of the spoon library charset in Kernel.php (defineForkConstants). ...
CVE-2022-35589
Summary: CVE-2022-35589 is a cross-site scripting (XSS) vulnerability in ForkCMS v5.9.3 that allows remote attackers to inject JavaScript via the publish_on_time parameter. The issue has several public entries (NVD, Red Hat, Veracode, GHSA) describing the same vector and confirm the vulnerable co...
CVE-2020-23263
Fork CMS 5.8.2 is affected by a persistent cross-site scripting (XSS) vulnerability (CVE-2020-23263). Attack vector: remote, via user-supplied data in navigation_title and title parameters on /private/en/pages/add. Impact described as injection of arbitrary Javascript code; authenticated/unauthen...
CVE-2020-24036
ForkCMS prior to version 5.8.3 is affected by PHP object injection via the backend Ajax endpoint. The vulnerability allows an authenticated remote user to inject PHP objects through unserialize calls in the Ajax handlers, enabling remote code execution. The issue is specific to ForkCMS’s backend ...
CVE-2020-23264
CVE-2020-23264 is a CSRF vulnerability in the Fork-CMS platform, affecting versions before 5.8.2 . The issue allows remote attackers to hijack the authentication of logged-in administrators. The provided documents specify the vulnerability but do not include a concrete root-cause analysis or expl...
CVE-2020-23960
CVE-2020-23960 is documented across multiple connected records as a set of multiple CSRF vulnerabilities in the ForkCMS Admin Console prior to version 5.8.3. The issues allow remote attackers to perform unauthorized administrator actions such as approving large user comment queues, restoring dele...
CVE-2020-23049
Fork CMS Content Management System v5.8.0 is affected by a cross-site scripting (XSS) vulnerability in the Displayname field when using Add, Edit, or Register. The root cause is improper encoding/input handling of the Displayname field, enabling attackers to inject and execute arbitrary web scrip...
CVE-2021-28931
Fork CMS 5.9.2 has an arbitrary file upload vulnerability that lets an attacker create or replace arbitrary files in the /themes directory by uploading a crafted ZIP via the Themes panel. CVSS metrics indicate a high impact (CVSS-3.1 base score 8.8, high confidentiality/ integrity/ availability i...
CVE-2012-1188
CVE-2012-1188 covers multiple XSS vulnerabilities in Fork CMS before 3.2.7. The flaws allow remote attackers to inject arbitrary HTML/JS via: (1) type and (2) querystring parameters to /private/en/error, and (3) name parameter to /private/en/locale/index. The issue affects Fork CMS versions up to...
CVE-2015-1467
Fork CMS is affected by SQL injection in the Translations feature prior to version 3.8.6. The vulnerability allows remote authenticated users to execute arbitrary SQL commands via the language[] and type[] parameters sent to private/en/locale/index. The issue is triggered when an authenticated us...
CVE-2012-1207
Summary (CVE-2012-1207) : Fork CMS vulnerable component is in frontend/core/engine/javascript.php ; a directory traversal flaw allows remote attackers to read files via a “..” in the module parameter to frontend/js.php . Affected: Fork CMS 3.2.4 and possibly earlier versions before 3.2.5. Impact ...
CVE-2018-5215
Fork CMS 5.0.7 is affected by an XSS vulnerability in the title parameter of the /private/en/pages/edit endpoint. The root cause is a cross-site scripting flaw that allows injection via the title field, as documented across multiple sources (CVE-2018-5215 and related advisories). Exploitation det...
CVE-2012-1209
CVE-2012-1209 describes a cross-site scripting (XSS) vulnerability in Fork CMS. The issue is in the backend/core/engine/base.php file for Fork CMS versions around 3.2.4 and possibly earlier than 3.2.5, where an attacker could inject arbitrary web script or HTML via the highlight parameter. The vu...
CVE-2012-1208
Fork CMS 3.2.4 (and possibly earlier versions) is affected by multiple XSS vulnerabilities in backend/core/engine/base.php that allow remote attackers to inject arbitrary script via the blog/settings report parameter or users/index error parameter. The issue is addressed in Fork CMS 3.2.5 (per li...
CVE-2018-17595
CVE-2018-17595 affects Fork CMS 5.4.0, where HTML Injection and Stored XSS are triggered through the /backend/ajax URI. The available connected sources confirm the vulnerability in the specified version and describe the attack class as HTML injection leading to stored XSS in Fork CMS’s backend AJ...
CVE-2018-20682
Fork CMS 5.0.6 is affected by a stored XSS in the private/en/settings facebook_admin_ids input (Admin ids). The root cause is unsanitized/unencoded input rendered to users, enabling arbitrary script execution in stored form. Exploitation status is not detailed in the provided documents. Multiple ...
CVE-2019-15521
CVE-2019-15521 affects Spoon Library up to 2014-02-06 as used in Fork CMS before 1.4.1 and other products. The vulnerability enables PHP object injection via a cookie containing a serialized object, allowing code execution under deserialization in spoon/cookie/cookie.php. Public sources (Red Hat,...
CVE-2020-13633
Fork CMS prior to version 5.8.3 is vulnerable to cross-site scripting (XSS) due to insufficient escaping of user-supplied values in navigation_title and pageTitle (createHtml()). The vulnerability allows injection of malicious scripts through these fields, with the impact described as XSS in mult...
CVE-2012-5164
Fork CMS before 3.2.7 is affected by multiple XSS vulnerabilities that allow remote injection of arbitrary scripts via the term parameter to frontend/modules/search/ajax/autocomplete.php, search/ajax/autosuggest.php, livesuggest.php, and save.php. Affects Fork CMS 3.x up to 3.2.7; CVSSv2 base sco...