CVE-2014-9470 - Vulnerability Details - OpenCVE

Cross-site scripting (XSS) vulnerability in the loadForm function in Frontend/Modules/Search/Actions/Index.php in Fork CMS before 3.8.4 allows remote attackers to inject arbitrary web script or HTML via the q_widget parameter to en/search.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Fork-cms	Fork Cms

Configuration 1 [-]

cpe:2.3:a:fork-cms:fork_cms:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://seclists.org/fulldisclosure/2015/Jan/38
http://www.fork-cms.com/blog/detail/fork-3.8.4-released
http://www.itas.vn/news/itas-team-found-out-a-cross-site-scripting-vulnerability-in-fork-cms-70.html
http://www.securityfocus.com/bid/72017
https://github.com/forkcms/forkcms/commit/4a7814762adf4f56f932d95146c7e4126d872114
https://github.com/forkcms/forkcms/issues/1018s

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2020-02-08T16:03:43

Updated: 2024-08-06T13:47:40.347Z

Reserved: 2015-01-03T00:00:00

Link: CVE-2014-9470

Vulnrichment

No data.

NVD

Status : Modified

Published: 2020-02-08T17:15:11.247

Modified: 2024-11-21T02:20:57.950

Link: CVE-2014-9470

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2015-01-12T00:00:00", "descriptions": [{"lang": "en", "value": "Cross-site scripting (XSS) vulnerability in the loadForm function in Frontend/Modules/Search/Actions/Index.php in Fork CMS before 3.8.4 allows remote attackers to inject arbitrary web script or HTML via the q_widget parameter to en/search."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-02-08T16:03:42", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "http://www.itas.vn/news/itas-team-found-out-a-cross-site-scripting-vulnerability-in-fork-cms-70.html"}, {"tags": ["x_refsource_MISC"], "url": "http://seclists.org/fulldisclosure/2015/Jan/38"}, {"tags": ["x_refsource_MISC"], "url": "http://www.fork-cms.com/blog/detail/fork-3.8.4-released"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/forkcms/forkcms/commit/4a7814762adf4f56f932d95146c7e4126d872114"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/forkcms/forkcms/issues/1018s"}, {"tags": ["x_refsource_MISC"], "url": "http://www.securityfocus.com/bid/72017"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2014-9470", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Cross-site scripting (XSS) vulnerability in the loadForm function in Frontend/Modules/Search/Actions/Index.php in Fork CMS before 3.8.4 allows remote attackers to inject arbitrary web script or HTML via the q_widget parameter to en/search."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "http://www.itas.vn/news/itas-team-found-out-a-cross-site-scripting-vulnerability-in-fork-cms-70.html", "refsource": "MISC", "url": "http://www.itas.vn/news/itas-team-found-out-a-cross-site-scripting-vulnerability-in-fork-cms-70.html"}, {"name": "http://seclists.org/fulldisclosure/2015/Jan/38", "refsource": "MISC", "url": "http://seclists.org/fulldisclosure/2015/Jan/38"}, {"name": "http://www.fork-cms.com/blog/detail/fork-3.8.4-released", "refsource": "MISC", "url": "http://www.fork-cms.com/blog/detail/fork-3.8.4-released"}, {"name": "https://github.com/forkcms/forkcms/commit/4a7814762adf4f56f932d95146c7e4126d872114", "refsource": "MISC", "url": "https://github.com/forkcms/forkcms/commit/4a7814762adf4f56f932d95146c7e4126d872114"}, {"name": "https://github.com/forkcms/forkcms/issues/1018s", "refsource": "MISC", "url": "https://github.com/forkcms/forkcms/issues/1018s"}, {"name": "http://www.securityfocus.com/bid/72017", "refsource": "MISC", "url": "http://www.securityfocus.com/bid/72017"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T13:47:40.347Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://www.itas.vn/news/itas-team-found-out-a-cross-site-scripting-vulnerability-in-fork-cms-70.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://seclists.org/fulldisclosure/2015/Jan/38"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://www.fork-cms.com/blog/detail/fork-3.8.4-released"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/forkcms/forkcms/commit/4a7814762adf4f56f932d95146c7e4126d872114"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/forkcms/forkcms/issues/1018s"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://www.securityfocus.com/bid/72017"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2014-9470", "datePublished": "2020-02-08T16:03:43", "dateReserved": "2015-01-03T00:00:00", "dateUpdated": "2024-08-06T13:47:40.347Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:fork-cms:fork_cms:*:*:*:*:*:*:*:*", "matchCriteriaId": "AE88F534-F422-464E-B76D-6C52F6ACD4B9", "versionEndExcluding": "3.8.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Cross-site scripting (XSS) vulnerability in the loadForm function in Frontend/Modules/Search/Actions/Index.php in Fork CMS before 3.8.4 allows remote attackers to inject arbitrary web script or HTML via the q_widget parameter to en/search."}, {"lang": "es", "value": "Una vulnerabilidad de tipo cross-site scripting (XSS) en la funci\u00f3n loadForm en el archivo Frontend/Modules/Search/Actions/Index.php en Fork CMS versiones anteriores a 3.8.4, permite a atacantes remotos inyectar script web o HTML arbitrario por medio del par\u00e1metro q_widget en en/search."}], "id": "CVE-2014-9470", "lastModified": "2024-11-21T02:20:57.950", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-02-08T17:15:11.247", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Mailing List", "Third Party Advisory"], "url": "http://seclists.org/fulldisclosure/2015/Jan/38"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://www.fork-cms.com/blog/detail/fork-3.8.4-released"}, {"source": "cve@mitre.org", "tags": ["Broken Link"], "url": "http://www.itas.vn/news/itas-team-found-out-a-cross-site-scripting-vulnerability-in-fork-cms-70.html"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/72017"}, {"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/forkcms/forkcms/commit/4a7814762adf4f56f932d95146c7e4126d872114"}, {"source": "cve@mitre.org", "tags": ["Broken Link"], "url": "https://github.com/forkcms/forkcms/issues/1018s"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Mailing List", "Third Party Advisory"], "url": "http://seclists.org/fulldisclosure/2015/Jan/38"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "http://www.fork-cms.com/blog/detail/fork-3.8.4-released"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Broken Link"], "url": "http://www.itas.vn/news/itas-team-found-out-a-cross-site-scripting-vulnerability-in-fork-cms-70.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/72017"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/forkcms/forkcms/commit/4a7814762adf4f56f932d95146c7e4126d872114"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Broken Link"], "url": "https://github.com/forkcms/forkcms/issues/1018s"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}