Users with access to the administration panel with page editing permissions could insert <script>
tags in markdown fields, which are exposed on the publicly accessible site pages, leading to potential XSS injections.
content.safe_mode
(enabled by default) controls whether HTML tags and potentially dangerous links are escaped. This is configurable as in some cases more flexibility should be given. Panel users should be only a controlled group of editors, which cannot enable the option by themselves, and not a generic group. This mitigates the chance of introducing vulnerabilities.content.safeMode
system option. Like Formwork 1.13.0, by default HTML tags and dangerous link are escaped. Even if enabled by an administrator, however, <script>
and other dangerous tags are still converted to text, but secure tags are allowed.CPE | Name | Operator | Version |
---|---|---|---|
getformwork/formwork | lt | 1.13.0 |
github.com/advisories/GHSA-gx8m-f3mp-fg99
github.com/getformwork/formwork/commit/2d92e6dbf99a9a49797947afbda0cdd4e56e11df
github.com/getformwork/formwork/commit/6adc302f5a294f2ffbbf1571dd4ffea6b7876723
github.com/getformwork/formwork/security/advisories/GHSA-gx8m-f3mp-fg99
nvd.nist.gov/vuln/detail/CVE-2024-35621