CVE-2018-20682
Description
Fork CMS 5.0.6 contains a stored XSS vulnerability via the facebook_admin_ids parameter in the settings page.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Fork CMS 5.0.6 contains a stored XSS vulnerability via the facebook_admin_ids parameter in the settings page.
Vulnerability
Fork CMS versions up to and including 5.0.6 contain a stored cross-site scripting vulnerability in the private /en/settings endpoint. The facebook_admin_ids POST parameter (labeled "Admin ids" in the Facebook section of the settings page) is not sanitized before being stored and later reflected in the application's HTML. An attacker with authenticated access to the settings page can inject arbitrary JavaScript payloads that persist in the database and execute in the context of any user viewing the affected input field. The attack pattern demonstrated includes injecting an onmouseover event handler [1][2].
Exploitation
To exploit this vulnerability, an attacker must have a valid user account with access to the Settings > General page in the Fork CMS admin panel. The attacker navigates to that page, pastes the malicious payload into the "Admin ids" input field in the Facebook section, clicks "Add" to save the value, and then clicks the save button. The stored payload is triggered when another user (or the attacker themselves) moves their mouse cursor over the "Admin ids" input field, executing the injected script [2].
Impact
Successful exploitation results in stored cross-site scripting, allowing the attacker to execute arbitrary JavaScript in the context of the victim's session, within the CMS admin panel. The impact is primarily on confidentiality and integrity, as the attacker can steal cookies, perform actions on behalf of the victim (e.g., modify settings, create admin accounts), or deface the admin interface. The CVSS v3.0 score of this issue is 6.1 (Medium), with the vector AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N, indicating low attack complexity but requiring user interaction [1][2].
Mitigation
No official fix has been released by the vendor for this issue as of the advisory publication date (December 2018). The vulnerability remains unpatched in Fork CMS 5.0.6 and likely in earlier versions. The advisory recommends upgrading to a patched version if one becomes available, but no such version is indicated. As a workaround, administrators can restrict access to the settings page to trusted users only and ensure that users do not input untrusted data into the "Admin ids" field [2].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
forkcms/forkcmsPackagist | <= 5.0.6 | — |
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
4- github.com/advisories/GHSA-xcmj-xjhg-wvhqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-20682ghsaADVISORY
- www.netsparker.com/web-applications-advisories/ns-18-032-stored-cross-site-scripting-in-forkcmsghsaWEB
- www.netsparker.com/web-applications-advisories/ns-18-032-stored-cross-site-scripting-in-forkcms/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.