Lucene search

GoogleOSV:CVE-2024-37160

HistoryJun 07, 2024 - 2:15 p.m.

CVE-2024-37160

2024-06-0714:15:10

Google

osv.dev

formwork cms

arbitrary execution

site options

web script

security vulnerability

software update

4.8 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

7.2 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

20.1%

JSON

Formwork is a flat file-based Content Management System (CMS). An attackers (requires administrator privilege) to execute arbitrary web scripts by modifying site options via /panel/options/site. This type of attack is suitable for persistence, affecting visitors across all pages (except the dashboard). This vulnerability is fixed in 1.13.1.

CPENameOperatorVersion
formworkeq0.11.1
formworkeq1.4.0
formworkeq1.7.1
formworkeq1.8.0
formworkeq1.11.0
formworkeq1.4.5
formworkeq0.10.4
formworkeq0.10.2
formworkeq1.0.0
formworkeq1.12.1

Name	Operator	Version
formwork	eq	0.11.1
formwork	eq	1.4.0
formwork	eq	1.7.1
formwork	eq	1.8.0
formwork	eq	1.11.0
formwork	eq	1.4.5
formwork	eq	0.10.4
formwork	eq	0.10.2
formwork	eq	1.0.0
formwork	eq	1.12.1

Rows per page:

1-10 of 461

References

github.com/getformwork/formwork/commit/9d471204f7ebb51c3c27131581c2b834315b5e0b

github.com/getformwork/formwork/commit/f5312015a5a5e89b95ef2bd07e496f8474d579c5

github.com/getformwork/formwork/security/advisories/GHSA-5pxr-7m4j-jjc6