• Hello Fabrik Community

    Fabrik is now in the hands of the development team that brought you Fabrik for Joomla 4. We have recently transitioned the Fabrik site over to a new server and are busy trying to clean it up. We have upgraded the site to Joomla 4 and are running the latest version of Fabrik 4. We have also upgraded the Xenforo forum software to the latest version. Many of the widgets you might have been used to on the forum are no longer operational, many abandoned by the developers. We hope to bring back some of the important ones as we have time.

    Exciting times to be sure.

    The Fabrik 4.0 Official release is now available. In addition, the Fabrik codebase is now available in a public repository. See the notices about these in the announcements section

    We wish to shout out a very big Thank You to all of you who have made donations. They have really helped. But we can always use more...wink..wink..

    Also a big Thank You to those of you who have been assisting others in the forum. This takes a very big burden off of us as we work on bugs, the website and the future of Fabrik.

Vulnerability!- Cross Site Scripting (XSS)

Status
Not open for further replies.

mattsh

Member
Hi!

My it-security department informed me that it's a problem with a Fabrik form. A Cross Site Scripting (XSS) vulnerability. And they sent me the link below.

This link (made anonymous) is a form you reach from a list connected by dbjoin (course_date_id) via a related link. The dbjoin element is just shown in the form (auto-complete).
https://XXXXXXXXX/fabrik/form/5?referring_table=4&XXXXX_course_registration___course_date_id_raw=876

Cross Site Scripting (XSS)
CVSSv3 Score: 6.1

Is it a real vulnerability I need to act on? Do you need additional information? I'm far from a expert in this area....

Regards
Matt
J 3.9.24
F 3.9 (not the latest...)
 
Seems to be the issue described in here:
https://github.com/Fabrik/fabrik/issues/2033

Although I couldn't track down the fix for this, I don't seem to have this issue with Github update from a few weeks ago.

You could update Fabrik at least to 3.9.2. or make a Github update and see if the issue is still there.

About the severity, it's always subjective matter and depends on a lot of things. If it's not a public form, I would say that the probability of "something bad" happening regarding this is minor.
 
The dbjoin element is shown in the form (auto-complete), is any difference if I change it to dropdown?

Matt
 
Status
Not open for further replies.
We are in need of some funding.
More details.

Thank you.

Members online

Back
Top