GHSA-GX8M-F3MP-FG99

Vulnerability from github – Published: 2024-05-28 16:54 – Updated: 2024-05-31 20:33
VLAI
Summary
formwork Cross-site scripting vulnerability in Markdown fields
Details

Impact

Users with access to the administration panel with page editing permissions could insert <script> tags in markdown fields, which are exposed on the publicly accessible site pages, leading to potential XSS injections.

Patches

  • Formwork 1.13.0 has been released with a patch that solves this vulnerability. Now the system config option content.safe_mode (enabled by default) controls whether HTML tags and potentially dangerous links are escaped. This is configurable as in some cases more flexibility should be given. Panel users should be only a controlled group of editors, which cannot enable the option by themselves, and not a generic group. This mitigates the chance of introducing vulnerabilities.
  • Formwork 2.x (6adc302) adds a similar content.safeMode system option. Like Formwork 1.13.0, by default HTML tags and dangerous link are escaped. Even if enabled by an administrator, however, <script> and other dangerous tags are still converted to text, but secure tags are allowed.

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-35621

Severity
4.8 (Medium)
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "getformwork/formwork"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.13.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-35621"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-05-28T16:54:31Z",
    "nvd_published_at": "2024-05-28T16:15:16Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nUsers with access to the administration panel with page editing permissions could insert `\u003cscript\u003e` tags in markdown fields, which are exposed on the publicly accessible site pages, leading to potential XSS injections.\n\n### Patches\n\n- [**Formwork 1.13.0**](https://github.com/getformwork/formwork/releases/tag/1.13.0) has been released with a patch that solves this vulnerability. Now the system config option `content.safe_mode` (enabled by default) controls whether HTML tags and potentially dangerous links are escaped. This is configurable as in some cases more flexibility should be given. Panel users should be only a controlled group of editors, which cannot enable the option by themselves, and not a generic group. This mitigates the chance of introducing vulnerabilities.\n- [**Formwork 2.x** (6adc302)](https://github.com/getformwork/formwork/commit/6adc302f5a294f2ffbbf1571dd4ffea6b7876723) adds a similar `content.safeMode` system option. Like Formwork 1.13.0, by default HTML tags and dangerous link are escaped. Even if enabled by an administrator, however, `\u003cscript\u003e` and other dangerous tags are still converted to text, but secure tags are allowed.\n\n### References\nhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-35621\n",
  "id": "GHSA-gx8m-f3mp-fg99",
  "modified": "2024-05-31T20:33:40Z",
  "published": "2024-05-28T16:54:31Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/getformwork/formwork/security/advisories/GHSA-gx8m-f3mp-fg99"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35621"
    },
    {
      "type": "WEB",
      "url": "https://github.com/getformwork/formwork/commit/2d92e6dbf99a9a49797947afbda0cdd4e56e11df"
    },
    {
      "type": "WEB",
      "url": "https://github.com/getformwork/formwork/commit/6adc302f5a294f2ffbbf1571dd4ffea6b7876723"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/getformwork/formwork"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "formwork Cross-site scripting vulnerability in Markdown fields"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.