| Titel | Guizhou Qianhu Technology Co., Ltd. FoxCMS ≤ v1.2 Reflected Cross-Site Scripting (Reflected XSS, CWE-79) |
|---|
| Beschreibung | A reflected cross-site scripting (XSS) vulnerability exists in FoxCMS (≤ v1.2) in the Search page. The keyword parameter is echoed back to the page without proper context-sensitive encoding, allowing an attacker to inject JavaScript.
Proof-of-concept (example):
GET /index.php/Search?fields=title&kwtype=1&keyword=321"%20onmouseover="alert(document.cookie);
When a victim opens the crafted URL, the injected script executes (demonstrable via alert(1) or alert(document.cookie)). Impact: an attacker can execute arbitrary JavaScript in the victim’s browser, potentially stealing non-HttpOnly cookies, performing phishing, CSRF chaining, or conducting actions on behalf of the user.
Mitigation: perform context-aware output encoding when rendering keyword (e.g. HTML-attribute encoding), enforce input validation/length limits, and set sensitive cookies with HttpOnly; Secure; SameSite. Deploy a strict Content Security Policy (CSP) as an additional defense. Suggested severity: Medium (escalate to High if session identifiers are stored in readable cookies). |
|---|
| Quelle | ⚠️ https://github.com/coolcj-stack/FoxCMS-V1.2-is-vulnerable-to-cross-site-scripting-attacks.-There-is-an-XSS-vulnerability |
|---|
| Benutzer | BlackSpdier (UID 89912) |
|---|
| Einreichung | 24.09.2025 16:02 (vor 7 Monaten) |
|---|
| Moderieren | 04.10.2025 20:57 (10 days later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 327187 [qianfox FoxCMS bis 1.2 Search Page /index.php/Search keyword Cross Site Scripting] |
|---|
| Punkte | 20 |
|---|