| Название | GitHub OpnForm 1.9.3 Cross Site Scripting |
|---|
| Описание | Title: Authenticated Stored XSS in Form Editor
Description: An authenticated stored XSS vulnerability exists in a form’s custom code editor where a user with the ability to edit a form’s custom code can inject JS that is later executed in the browser of users or administrators who view the form, enabling exfiltration of session cookies or bearer tokens and leading to account takeover.
The vendor has stated that the feature is disabled until the user has configured their own domain which will mitigate this attack vector.
Please see the attached Google Doc link for more information under 3. Authenticated Stored XSS in Form Editor Enables Token Theft and the Response from the Vendor section for more detail.
Vulnerable version: https://github.com/JhumanJ/OpnForm/tree/v1.9.3
Patched Commit: N/A |
|---|
| Источник | ⚠️ https://docs.google.com/document/d/1GUjJA9vUbsXUngAv6ySsbCIhVynf8_djardLZYEDOe0/edit?tab=t.0#heading=h.nowv0hlgdq8 |
|---|
| Пользователь | balejin (UID 89385) |
|---|
| Представление | 01.10.2025 20:57 (9 месяцы назад) |
|---|
| Модерация | 07.10.2025 15:17 (6 days later) |
|---|
| Статус | принято |
|---|
| Запись VulDB | 327374 [JhumanJ OpnForm до 1.9.3 Form Editor /api/open/forms/ межсайтовый скриптинг] |
|---|
| Баллы | 20 |
|---|