VYPR
← All advisories
Moderate severityNVD Advisory· Published Sep 26, 2012· Updated Apr 29, 2026

CVE-2012-1188

CVE-2012-1188

Description

Multiple cross-site scripting (XSS) vulnerabilities in Fork CMS before 3.2.7 allow remote attackers to inject arbitrary web script or HTML via the (1) type or (2) querystring parameters to private/en/error or (3) name parameter to private/en/locale/index.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
forkcms/forkcmsPackagist
< 3.2.73.2.7

Affected products

1

Patches

2
1269fe8b3813

fix xss vulnerability

https://github.com/forkcms/forkcmsmlitnFeb 28, 2012via ghsa
commit
1 file changed · +1 1
  • backend/modules/error/actions/index.php+1 1 modified
    @@ -64,7 +64,7 @@ protected function parse()
 				SpoonHTTP::setHeadersByCode(404);
 
 				// give a nice error, so we can detect which file is missing
-				echo 'Requested file (' . implode('?', $chunks) . ') not found.';
+				echo 'Requested file (' . htmlspecialchars($this->getParameter('querystring')) . ') not found.';
 
 				// stop script execution
 				exit;
995220182068

resolve xss vulnerability

https://github.com/forkcms/forkcmsmlitnFeb 28, 2012via ghsa
commit
1 file changed · +1 1
  • backend/modules/error/actions/index.php+1 1 modified
    @@ -72,6 +72,6 @@ protected function parse()
 		}
 
 		// assign the correct message into the template
-		$this->tpl->assign('message', BL::err(SpoonFilter::toCamelCase($errorType, '-')));
+		$this->tpl->assign('message', BL::err(SpoonFilter::toCamelCase(htmlspecialchars($errorType), '-')));
 	}
 }

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

13

News mentions

0

No linked articles in our index yet.