CVE-2024-37160

2024-06-0714:15:10

CWE-79

[email protected]

web.nvd.nist.gov

formwork cms

arbitrary script execution

web scripts

administrator privilege

site options

persistence

vulnerability

nvd

4.8 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

5.4 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

20.1%

JSON

Formwork is a flat file-based Content Management System (CMS). An attackers (requires administrator privilege) to execute arbitrary web scripts by modifying site options via /panel/options/site. This type of attack is suitable for persistence, affecting visitors across all pages (except the dashboard). This vulnerability is fixed in 1.13.1.

Affected configurations

Vulners

NVD

Node

getformworkformworkRange<1.13.1

getformworkformworkMatch2.0.0-beta.1

CPENameOperatorVersion
formwork_project:formworkformwork project formworklt1.13.1

CPE	Name	Operator	Version
formwork_project:formwork	formwork project formwork	lt	1.13.1

CNA Affected

[
  {
    "vendor": "getformwork",
    "product": "formwork",
    "versions": [
      {
        "version": "< 1.13.1",
        "status": "affected"
      },
      {
        "version": "= 2.0.0-beta.1",
        "status": "affected"
      }
    ]
  }
]