CVE-2024-35621 – getformwork/formwork

Package

Manager: composer
Name: getformwork/formwork
Vulnerable Version: >=0 <1.13.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00132 pctl0.33611

Details

formwork Cross-site scripting vulnerability in Markdown fields ### Impact Users with access to the administration panel with page editing permissions could insert `<script>` tags in markdown fields, which are exposed on the publicly accessible site pages, leading to potential XSS injections. ### Patches - [**Formwork 1.13.0**](https://github.com/getformwork/formwork/releases/tag/1.13.0) has been released with a patch that solves this vulnerability. Now the system config option `content.safe_mode` (enabled by default) controls whether HTML tags and potentially dangerous links are escaped. This is configurable as in some cases more flexibility should be given. Panel users should be only a controlled group of editors, which cannot enable the option by themselves, and not a generic group. This mitigates the chance of introducing vulnerabilities. - [**Formwork 2.x** (6adc302)](https://github.com/getformwork/formwork/commit/6adc302f5a294f2ffbbf1571dd4ffea6b7876723) adds a similar `content.safeMode` system option. Like Formwork 1.13.0, by default HTML tags and dangerous link are escaped. Even if enabled by an administrator, however, `<script>` and other dangerous tags are still converted to text, but secure tags are allowed. ### References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-35621

Metadata

Created: 2024-05-28T16:54:31Z
Modified: 2024-05-31T20:33:40Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-gx8m-f3mp-fg99/GHSA-gx8m-f3mp-fg99.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-gx8m-f3mp-fg99
Finding: F425
Auto approve: 1