| Título | GitHub OpnForm 1.9.3 Cross Site Scripting |
|---|
| Descripción | Title: Unauthenticated Stored XSS on Form Text Input in v1.9.3
Description: XSS is possible on form input under the Text Input Block which allows an unauthenticated attacker that knows the form URL to submit arbitrary JS. An authenticated victim would have to view the form submission under /show/submissions endpoint to trigger the malicious JS.
The vulnerability has confirmed by the vendor to have been patched in v1.9.3 main branch with commit a2af1184e53953afa8cb052f4055f288adcaa608.
Please see the attached Google Doc link for more information under 1. Unauthenticated Stored XSS on Form Text Input and the Response from the Vendor section for more detail.
Vulnerable version: https://github.com/JhumanJ/OpnForm/tree/v1.9.3
Patched Commit: https://github.com/JhumanJ/OpnForm/pull/900/commits/a2af1184e53953afa8cb052f4055f288adcaa608 |
|---|
| Fuente | ⚠️ https://docs.google.com/document/d/1GUjJA9vUbsXUngAv6ySsbCIhVynf8_djardLZYEDOe0/edit?usp=sharing |
|---|
| Usuario | balejin (UID 89385) |
|---|
| Sumisión | 2025-10-01 20:52 (hace 9 meses) |
|---|
| Moderación | 2025-10-07 15:17 (6 days later) |
|---|
| Estado | Aceptado |
|---|
| Entrada de VulDB | 327372 [JhumanJ OpnForm hasta 1.9.3 /show/submissions secuencias de comandos en sitios cruzados] |
|---|
| Puntos | 20 |
|---|