Vulnerability Description
Cross-site scripting (XSS) vulnerability in the loadForm function in Frontend/Modules/Search/Actions/Index.php in Fork CMS before 3.8.4 allows remote attackers to inject arbitrary web script or HTML via the q_widget parameter to en/search.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Fork-Cms | Fork Cms | < 3.8.4 |
Related Weaknesses (CWE)
References
- http://seclists.org/fulldisclosure/2015/Jan/38ExploitMailing ListThird Party Advisory
- http://www.fork-cms.com/blog/detail/fork-3.8.4-releasedVendor Advisory
- http://www.itas.vn/news/itas-team-found-out-a-cross-site-scripting-vulnerabilityBroken Link
- http://www.securityfocus.com/bid/72017Third Party AdvisoryVDB Entry
- https://github.com/forkcms/forkcms/commit/4a7814762adf4f56f932d95146c7e4126d8721PatchThird Party Advisory
- https://github.com/forkcms/forkcms/issues/1018sBroken Link
- http://seclists.org/fulldisclosure/2015/Jan/38ExploitMailing ListThird Party Advisory
- http://www.fork-cms.com/blog/detail/fork-3.8.4-releasedVendor Advisory
- http://www.itas.vn/news/itas-team-found-out-a-cross-site-scripting-vulnerabilityBroken Link
- http://www.securityfocus.com/bid/72017Third Party AdvisoryVDB Entry
- https://github.com/forkcms/forkcms/commit/4a7814762adf4f56f932d95146c7e4126d8721PatchThird Party Advisory
- https://github.com/forkcms/forkcms/issues/1018sBroken Link
FAQ
What is CVE-2014-9470?
CVE-2014-9470 is a vulnerability with a CVSS score of 6.1 (MEDIUM). Cross-site scripting (XSS) vulnerability in the loadForm function in Frontend/Modules/Search/Actions/Index.php in Fork CMS before 3.8.4 allows remote attackers to inject arbitrary web script or HTML v...
How severe is CVE-2014-9470?
CVE-2014-9470 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2014-9470?
Check the references section above for vendor advisories and patch information. Affected products include: Fork-Cms Fork Cms.