GHSA-vf6x-59hh-332f – getformwork/formwork

Package

Manager: composer
Name: getformwork/formwork
Vulnerable Version: =2.0.0-beta.3 || >=2.0.0-beta.3 <2.0.0-beta.4

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

Formwork has a cross-site scripting (XSS) vulnerability in Site title ### Summary The site title field at /panel/options/site/allows embedding JS tags, which can be used to attack all members of the system. This is a widespread attack and can cause significant damage if there is a considerable number of users. ### Impact The attack is widespread, leveraging what XSS can do. This will undoubtedly impact system availability. ### Patches - [**Formwork 2.x** (aa3e9c6)](https://github.com/getformwork/formwork/commit/aa3e9c684035d9e8495169fde7c57d97faa3f9a2) escapes site title from panel header navigation. ### Details By embedding "<!--", the source code can be rendered non-functional, significantly impacting system availability. However, the attacker would need admin privileges, making the attack more difficult to execute. ### PoC  1. The page where the vulnerability was found, and the attack surface is the Title field.  2. I tested accessing the Dashboard page using a regular user account with Firefox, a different browser, and found that it was also affected.  3. Additionally, the remaining code was commented out to disrupt the UX/UI, making it difficult to revert the settings.

Metadata

Created: 2025-03-01T00:11:46Z
Modified: 2025-03-17T20:27:03Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-vf6x-59hh-332f/GHSA-vf6x-59hh-332f.json
CWE IDs: ["CWE-80"]
Alternative ID: N/A
Finding: F063
Auto approve: 1