Moderate severityNVD Advisory· Published Feb 24, 2012· Updated Apr 29, 2026
CVE-2012-1209
CVE-2012-1209
Description
Cross-site scripting (XSS) vulnerability in backend/core/engine/base.php in Fork CMS 3.2.4 and possibly other versions before 3.2.5 allows remote attackers to inject arbitrary web script or HTML via the highlight parameter.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
forkcms/forkcmsPackagist | < 3.2.5 | 3.2.5 |
Affected products
1Patches
2c8ec9c58a6b3Make sure the highlight string doesn't contain html tags.
1 file changed · +4 −1
backend/core/engine/base.php+4 −1 modified@@ -155,7 +155,10 @@ public function execute() else $this->tpl->assign('reportMessage', BL::msg($messageName)); // highlight an element with the given id if needed - if($this->getParameter('highlight')) $this->tpl->assign('highlight', $this->getParameter('highlight')); + if($this->getParameter('highlight')) + { + $this->tpl->assign('highlight', strip_tags($this->getParameter('highlight'))); + } } // is there an error to show?
df75e0797a65This should fix the backend XSS.
1 file changed · +4 −3
backend/core/engine/base.php+4 −3 modified@@ -11,6 +11,7 @@ * This class implements a lot of functionality that can be extended by a specific action * * @author Tijs Verkoyen <tijs@sumocoders.be> + * @author Frederik Heyninck <frederik@figure8.be> */ class BackendBaseAction { @@ -168,21 +169,21 @@ public function execute() $this->tpl->assign('report', true); // camelcase the string - $messageName = SpoonFilter::toCamelCase($this->getParameter('report'), '-'); + $messageName = SpoonFilter::toCamelCase(SpoonFilter::stripHTML($this->getParameter('report')), '-'); // if we have data to use it will be passed as the var parameter if(!empty($var)) $this->tpl->assign('reportMessage', vsprintf(BL::msg($messageName), $var)); else $this->tpl->assign('reportMessage', BL::msg($messageName)); // highlight an element with the given id if needed - if($this->getParameter('highlight')) $this->tpl->assign('highlight', $this->getParameter('highlight')); + if($this->getParameter('highlight')) $this->tpl->assign('highlight', SpoonFilter::stripHTML($this->getParameter('highlight'))); } // is there an error to show? if($this->getParameter('error') !== null) { // camelcase the string - $errorName = SpoonFilter::toCamelCase($this->getParameter('error'), '-'); + $errorName = SpoonFilter::toCamelCase(SpoonFilter::stripHTML($this->getParameter('error')), '-'); // if we have data to use it will be passed as the var parameter if(!empty($var)) $this->tpl->assign('errorMessage', vsprintf(BL::err($errorName), $var));
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/forkcms/forkcms/commit/c8ec9c58a6b3c46cdd924532c1de99bcda6072ednvdExploitPatchWEB
- github.com/forkcms/forkcms/commit/df75e0797a6540c4d656969a2e7df7689603b2cfnvdExploitPatchWEB
- github.com/advisories/GHSA-v3fg-x8jw-m974ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2012-1209ghsaADVISORY
- www.fork-cms.com/blog/detail/fork-cms-3-2-5-releasednvdWEB
- exchange.xforce.ibmcloud.com/vulnerabilities/73393nvdWEB
News mentions
0No linked articles in our index yet.