Lucene search

GitHub Advisory DatabaseGHSA-GX8M-F3MP-FG99

HistoryMay 28, 2024 - 4:54 p.m.

formwork Cross-site scripting vulnerability in Markdown fields

2024-05-2816:54:31

CWE-79

GitHub Advisory Database

github.com

formwork

markdown

xss

vulnerability

patch

html

administration

panel

permissions

configuration

release

cve-2024-35621

system

5.5 Medium

AI Score

Confidence

High

0 Low

EPSS

Percentile

0.0%

JSON

Impact

Users with access to the administration panel with page editing permissions could insert <script> tags in markdown fields, which are exposed on the publicly accessible site pages, leading to potential XSS injections.

Patches

Formwork 1.13.0 has been released with a patch that solves this vulnerability. Now the system config option content.safe_mode (enabled by default) controls whether HTML tags and potentially dangerous links are escaped. This is configurable as in some cases more flexibility should be given. Panel users should be only a controlled group of editors, which cannot enable the option by themselves, and not a generic group. This mitigates the chance of introducing vulnerabilities.
Formwork 2.x (6adc302) adds a similar content.safeMode system option. Like Formwork 1.13.0, by default HTML tags and dangerous link are escaped. Even if enabled by an administrator, however, <script> and other dangerous tags are still converted to text, but secure tags are allowed.

References

https://vulners.com/cve/CVE-2024-35621

Affected configurations

Vulners

Node

getformworkformworkRange<1.13.0

CPENameOperatorVersion
getformwork/formworklt1.13.0

CPE	Name	Operator	Version
	getformwork/formwork	lt	1.13.0

References

github.com/advisories/GHSA-gx8m-f3mp-fg99

github.com/getformwork/formwork/commit/2d92e6dbf99a9a49797947afbda0cdd4e56e11df

github.com/getformwork/formwork/commit/6adc302f5a294f2ffbbf1571dd4ffea6b7876723

github.com/getformwork/formwork/security/advisories/GHSA-gx8m-f3mp-fg99

nvd.nist.gov/vuln/detail/CVE-2024-35621