GSD-2021-32697
Vulnerability from gsd - Updated: 2023-12-13 01:23Details
neos/forms is an open source framework to build web forms. By crafting a special `GET` request containing a valid form state, a form can be submitted without invoking any validators. Form state is secured with an HMAC that is still verified. That means that this issue can only be exploited if Form Finishers cause side effects even if no form values have been sent. Form Finishers can be adjusted in a way that they only execute an action if the submitted form contains some expected data. Alternatively a custom Finisher can be added as first finisher. This regression was introduced with https://github.com/neos/form/commit/049d415295be8d4a0478ccba97dba1bb81649567
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2021-32697",
"description": "neos/forms is an open source framework to build web forms. By crafting a special `GET` request containing a valid form state, a form can be submitted without invoking any validators. Form state is secured with an HMAC that is still verified. That means that this issue can only be exploited if Form Finishers cause side effects even if no form values have been sent. Form Finishers can be adjusted in a way that they only execute an action if the submitted form contains some expected data. Alternatively a custom Finisher can be added as first finisher. This regression was introduced with https://github.com/neos/form/commit/049d415295be8d4a0478ccba97dba1bb81649567",
"id": "GSD-2021-32697"
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2021-32697"
],
"details": "neos/forms is an open source framework to build web forms. By crafting a special `GET` request containing a valid form state, a form can be submitted without invoking any validators. Form state is secured with an HMAC that is still verified. That means that this issue can only be exploited if Form Finishers cause side effects even if no form values have been sent. Form Finishers can be adjusted in a way that they only execute an action if the submitted form contains some expected data. Alternatively a custom Finisher can be added as first finisher. This regression was introduced with https://github.com/neos/form/commit/049d415295be8d4a0478ccba97dba1bb81649567",
"id": "GSD-2021-32697",
"modified": "2023-12-13T01:23:09.403825Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-32697",
"STATE": "PUBLIC",
"TITLE": "Form validation can be skipped"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "form",
"version": {
"version_data": [
{
"version_value": "\u003e= 1.2.0, \u003c 4.3.3"
},
{
"version_value": "\u003e= 5.0.0, \u003c 5.0.9"
},
{
"version_value": "\u003e= 5.1.0, \u003c 5.1.3"
}
]
}
}
]
},
"vendor_name": "neos"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "neos/forms is an open source framework to build web forms. By crafting a special `GET` request containing a valid form state, a form can be submitted without invoking any validators. Form state is secured with an HMAC that is still verified. That means that this issue can only be exploited if Form Finishers cause side effects even if no form values have been sent. Form Finishers can be adjusted in a way that they only execute an action if the submitted form contains some expected data. Alternatively a custom Finisher can be added as first finisher. This regression was introduced with https://github.com/neos/form/commit/049d415295be8d4a0478ccba97dba1bb81649567"
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-20: Improper Input Validation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/neos/form/security/advisories/GHSA-m5vx-8chx-qvmm",
"refsource": "CONFIRM",
"url": "https://github.com/neos/form/security/advisories/GHSA-m5vx-8chx-qvmm"
},
{
"name": "https://github.com/neos/form-ghsa-m5vx-8chx-qvmm/pull/1",
"refsource": "MISC",
"url": "https://github.com/neos/form-ghsa-m5vx-8chx-qvmm/pull/1"
},
{
"name": "https://github.com/neos/form/commit/049d415295be8d4a0478ccba97dba1bb81649567",
"refsource": "MISC",
"url": "https://github.com/neos/form/commit/049d415295be8d4a0478ccba97dba1bb81649567"
},
{
"name": "https://github.com/neos/form/commit/69de4219b1f58157e2be6b05811463875d75c246",
"refsource": "MISC",
"url": "https://github.com/neos/form/commit/69de4219b1f58157e2be6b05811463875d75c246"
},
{
"name": "https://github.com/neos/form/releases/tag/5.1.3",
"refsource": "MISC",
"url": "https://github.com/neos/form/releases/tag/5.1.3"
}
]
},
"source": {
"advisory": "GHSA-m5vx-8chx-qvmm",
"discovery": "UNKNOWN"
}
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003e=1.2.0,\u003c4.3.3||\u003e=5.0.0,\u003c5.0.9||\u003e=5.1.0,\u003c5.1.3",
"affected_versions": "All versions starting from 1.2.0 before 4.3.3, all versions starting from 5.0.0 before 5.0.9, all versions starting from 5.1.0 before 5.1.3",
"cvss_v2": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-20",
"CWE-937"
],
"date": "2021-06-29",
"description": "neos/forms is an open source framework to build web forms. By crafting a special `GET` request containing a valid form state, a form can be submitted without invoking any validators. Form state is secured with an HMAC that is still verified. That means that this issue can only be exploited if Form Finishers cause side effects even if no form values have been sent. Form Finishers can be adjusted in a way that they only execute an action if the submitted form contains some expected data. Alternatively a custom Finisher can be added as first finisher.",
"fixed_versions": [
"4.3.3",
"5.0.9",
"5.1.3"
],
"identifier": "CVE-2021-32697",
"identifiers": [
"CVE-2021-32697",
"GHSA-m5vx-8chx-qvmm"
],
"not_impacted": "All versions before 1.2.0, all versions starting from 4.3.3 before 5.0.0, all versions starting from 5.0.9 before 5.1.0, all versions starting from 5.1.3",
"package_slug": "packagist/neos/form",
"pubdate": "2021-06-21",
"solution": "Upgrade to versions 4.3.3, 5.0.9, 5.1.3 or above.",
"title": "Improper Input Validation",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2021-32697"
],
"uuid": "39ac7e65-3e56-4c93-9ef7-6b40df4428fc"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:neos:form:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "4.3.3",
"versionStartIncluding": "1.2.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:neos:form:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "5.0.9",
"versionStartIncluding": "5.0.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:neos:form:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "5.1.3",
"versionStartIncluding": "5.1.0",
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-32697"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "neos/forms is an open source framework to build web forms. By crafting a special `GET` request containing a valid form state, a form can be submitted without invoking any validators. Form state is secured with an HMAC that is still verified. That means that this issue can only be exploited if Form Finishers cause side effects even if no form values have been sent. Form Finishers can be adjusted in a way that they only execute an action if the submitted form contains some expected data. Alternatively a custom Finisher can be added as first finisher. This regression was introduced with https://github.com/neos/form/commit/049d415295be8d4a0478ccba97dba1bb81649567"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/neos/form/releases/tag/5.1.3",
"refsource": "MISC",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/neos/form/releases/tag/5.1.3"
},
{
"name": "https://github.com/neos/form-ghsa-m5vx-8chx-qvmm/pull/1",
"refsource": "MISC",
"tags": [
"Broken Link"
],
"url": "https://github.com/neos/form-ghsa-m5vx-8chx-qvmm/pull/1"
},
{
"name": "https://github.com/neos/form/commit/69de4219b1f58157e2be6b05811463875d75c246",
"refsource": "MISC",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/neos/form/commit/69de4219b1f58157e2be6b05811463875d75c246"
},
{
"name": "https://github.com/neos/form/security/advisories/GHSA-m5vx-8chx-qvmm",
"refsource": "CONFIRM",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/neos/form/security/advisories/GHSA-m5vx-8chx-qvmm"
},
{
"name": "https://github.com/neos/form/commit/049d415295be8d4a0478ccba97dba1bb81649567",
"refsource": "MISC",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/neos/form/commit/049d415295be8d4a0478ccba97dba1bb81649567"
}
]
}
},
"impact": {
"baseMetricV2": {
"acInsufInfo": false,
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": false
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4
}
},
"lastModifiedDate": "2021-06-29T14:53Z",
"publishedDate": "2021-06-21T19:15Z"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…