CVE-2020-23049: 
PHP vulnerability analysis and mitigation

A vulnerability was discovered in Fork CMS v5.8.0 that allows remote attackers to inject malicious script code with persistent attack vectors to compromise browser-to-web-application requests (Vulnerability Lab). The vulnerability was disclosed on April 16, 2020, and affects the displayname input field when using Add, Edit, or Register mechanisms.

The vulnerability exists in the Displayname input field that forwards information into the var parameter. The issue occurs because the var parameter does not encode or parse the injected content and executes it instead. The vulnerability can be exploited via POST requests, with injection points in the registration form and add/edit user functions. The execution points occur in the preview profile, edit user, user index listing, and delete user message context (Vulnerability Lab).

Successful exploitation of the vulnerability can result in session hijacking, persistent phishing attacks, persistent external redirects to malicious sources, and persistent manipulation of affected application modules. The vulnerability affects multiple modules including Preview Profile, Edit User, User Index, and Delete User (Vulnerability Lab).