| Title | GitHub OpnForm 1.9.3 Cross Site Scripting |
|---|
| Description | Title: Unauthenticated Stored XSS on Form Text Input in v1.9.3
Description: XSS is possible on form input under the Text Input Block which allows an unauthenticated attacker that knows the form URL to submit arbitrary JS. An authenticated victim would have to view the form submission under /show/submissions endpoint to trigger the malicious JS.
The vulnerability has confirmed by the vendor to have been patched in v1.9.3 main branch with commit a2af1184e53953afa8cb052f4055f288adcaa608.
Please see the attached Google Doc link for more information under 1. Unauthenticated Stored XSS on Form Text Input and the Response from the Vendor section for more detail.
Vulnerable version: https://github.com/JhumanJ/OpnForm/tree/v1.9.3
Patched Commit: https://github.com/JhumanJ/OpnForm/pull/900/commits/a2af1184e53953afa8cb052f4055f288adcaa608 |
|---|
| Source | ⚠️ https://docs.google.com/document/d/1GUjJA9vUbsXUngAv6ySsbCIhVynf8_djardLZYEDOe0/edit?usp=sharing |
|---|
| User | balejin (UID 89385) |
|---|
| Submission | 10/01/2025 20:52 (9 months ago) |
|---|
| Moderation | 10/07/2025 15:17 (6 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 327372 [JhumanJ OpnForm up to 1.9.3 /show/submissions cross site scripting] |
|---|
| Points | 20 |
|---|