| Title | GitHub OpnForm 1.9.3 Cross Site Scripting |
|---|
| Description | Title: Authenticated Stored XSS in Form Editor
Description: An authenticated stored XSS vulnerability exists in a form’s custom code editor where a user with the ability to edit a form’s custom code can inject JS that is later executed in the browser of users or administrators who view the form, enabling exfiltration of session cookies or bearer tokens and leading to account takeover.
The vendor has stated that the feature is disabled until the user has configured their own domain which will mitigate this attack vector.
Please see the attached Google Doc link for more information under 3. Authenticated Stored XSS in Form Editor Enables Token Theft and the Response from the Vendor section for more detail.
Vulnerable version: https://github.com/JhumanJ/OpnForm/tree/v1.9.3
Patched Commit: N/A |
|---|
| Source | ⚠️ https://docs.google.com/document/d/1GUjJA9vUbsXUngAv6ySsbCIhVynf8_djardLZYEDOe0/edit?tab=t.0#heading=h.nowv0hlgdq8 |
|---|
| User | balejin (UID 89385) |
|---|
| Submission | 10/01/2025 20:57 (9 months ago) |
|---|
| Moderation | 10/07/2025 15:17 (6 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 327374 [JhumanJ OpnForm up to 1.9.3 Form Editor /api/open/forms/ cross site scripting] |
|---|
| Points | 20 |
|---|