CVE-2012-1209: Fork CMS XSS via Highlight Parameter
4.3
CVSS Score
Basic Information
CVE ID
GHSA ID
EPSS Score
0.51665%
CWE
Published
5/14/2022
Updated
1/12/2024
KEV Status
No
Technology
PHP
Technical Details
CVSS Vector
AV:N/AC:M/Au:N/C:N/I:P/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
forkcms/forkcms | composer | <= 3.2.4 | 3.2.5 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from the unescaped 'highlight' parameter being passed to the template engine in BackendBaseAction::execute
. The GitHub patch adds strip_tags()
sanitization to this parameter, confirming that the lack of input filtering in the original code (via $this->getParameter('highlight')
) was the vulnerable path. The function's role in processing user input for template rendering directly correlates with the XSS vulnerability described.