| 제목 | GitHub OpnForm 1.9.3 Cross Site Scripting |
|---|
| 설명 | Title: Authenticated Stored XSS in Form Editor
Description: An authenticated stored XSS vulnerability exists in a form’s custom code editor where a user with the ability to edit a form’s custom code can inject JS that is later executed in the browser of users or administrators who view the form, enabling exfiltration of session cookies or bearer tokens and leading to account takeover.
The vendor has stated that the feature is disabled until the user has configured their own domain which will mitigate this attack vector.
Please see the attached Google Doc link for more information under 3. Authenticated Stored XSS in Form Editor Enables Token Theft and the Response from the Vendor section for more detail.
Vulnerable version: https://github.com/JhumanJ/OpnForm/tree/v1.9.3
Patched Commit: N/A |
|---|
| 원천 | ⚠️ https://docs.google.com/document/d/1GUjJA9vUbsXUngAv6ySsbCIhVynf8_djardLZYEDOe0/edit?tab=t.0#heading=h.nowv0hlgdq8 |
|---|
| 사용자 | balejin (UID 89385) |
|---|
| 제출 | 2025. 10. 01. PM 08:57 (9 개월 ago) |
|---|
| 모더레이션 | 2025. 10. 07. PM 03:17 (6 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 327374 [JhumanJ OpnForm 까지 1.9.3 Form Editor /api/open/forms/ 크로스 사이트 스크립팅] |
|---|
| 포인트들 | 20 |
|---|