GitHub Advisory DatabaseGHSA-V45M-HXQP-FWF5verbb/formie Server-Side Template Injection for variable-enabled settings
4.4 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
7.2 High
AI Score
Confidence
Low
0.0004 Low
EPSS
Percentile
9.1%
Impact
Users with access to a form’s settings can include malicious Twig code into fields that support Twig. These might be the Submission Title or the Success Message. This code will then be executed upon creating a submission, or rendering the text.
This is listed as low-medium severity due to requiring control panel access to edit a form’s settings.
Patches
This has been fixed in Formie 2.1.6. Users should ensure they are running at least this version.
Affected configurations
| CPE | Name | Operator | Version |
|---|---|---|---|
| verbb/formie | lt | 2.1.6 |
Related
4.4 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
7.2 High
AI Score
Confidence
Low
0.0004 Low
EPSS
Percentile
9.1%