CVE-2022-35587Cross-site Scripting in Fork CMS

CWE-79Cross-site ScriptingCWE-502Deserialization of Untrusted DataCWE-790Improper Filtering of Special Elements5 documents5 sources
Severity
4.8MEDIUMNVD
CISA9.8
EPSS
0.2%
top 54.32%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
ForkcmsFork-cms Fork CMS
Timeline
PublishedAug 12
Latest updateNov 28

Description

A cross-site scripting (XSS) issue in the Fork version 5.9.3 allows remote attackers to inject JavaScript via the "publish_on_date" Parameter

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:NExploitability: 1.7 | Impact: 2.7

Affected Packages2 packages

Packagistforkcms/forkcms< 5.11.0

Patches

Patch: huntr.devPatch: huntr.dev

🔴Vulnerability Details

2
OSV
ForkCMS XSS via `publish_on_date` parameter2022-08-13
GHSA
ForkCMS XSS via `publish_on_date` parameter2022-08-13

📋Vendor Advisories

2
CISA
Oracle Fusion Middleware Unspecified Vulnerability2022-11-28
Oracle
Oracle Oracle Fusion Middleware Risk Matrix: OpenSSO Agent — CVE-2021-355872022-01-15
CVE-2022-35587 — Cross-site Scripting in Fork CMS | cvebase