CVE-2020-26768

Name of the Vulnerable Software and Affected Versions: Formstone versions 1.4.16 and earlier

Description: The issue is caused by improper validation of user-supplied input in the upload-target.php and upload-chunked.php files, leading to a Reflected Cross-Site Scripting (XSS) vulnerability. A remote attacker could exploit this vulnerability using a specially crafted URL to execute a script in a victim's Web browser within the security context of the hosting Web site once the URL is clicked or visited. This could allow the attacker to steal the victim's cookie-based authentication credentials, force malware execution, or perform user redirection.

Recommendations: For Formstone versions 1.4.16 and earlier, consider disabling the upload-target.php and upload-chunked.php files as a temporary workaround until a patch is available. Restrict access to these files to minimize the risk of exploitation. Avoid using specially crafted URLs that could trigger the vulnerability. At the moment, there is no information about a newer version that contains a fix for this vulnerability.