We found results for “


Date: November 16, 2021


In Factor (App Framework & Headless CMS) forum plugin, versions v1.3.3 to v1.8.30, are vulnerable to stored Cross-Site Scripting (XSS) at the “post reply” section. An unauthenticated attacker can execute malicious JavaScript code and steal the session cookies.


Factor has stored XSS vulnerability at the “Post Reply” section which may allow a low privileged member to execute malicious JavaScript code.

PoC Details

In a normal window login at http://localhost:3000 as an administrator. Now go to http://localhost:3000/dashboard/posts/forumTopic and create a sample Forum topic “topicbyadmin” and update it.
Open the application in incognito window by going to http://localhost:3000 and signup with a new account. Go to the discussion “topicbyadmin” and in the comments section, add the payload given below.
Go to the administrator session and browse the discussion section. Then, click on the “topicbyadmin” thread. Refresh the page. A popup will appear.

PoC Code


Affected Environments

1.3.3 to 1.8.30


No fix

Language: VUE

Good to know:


Cross-Site Scripting (XSS)


Upgrade Version

No fix version available

Base Score:
Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): Required
Scope (S): Changed
Confidentiality (C): Low
Integrity (I): Low
Availability (A): None
Base Score:
Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (AU): None
Confidentiality (C): None
Integrity (I): Partial
Availability (A): None
Additional information: