formwork Cross-site scripting vulnerability in Markdown fields

Impact

Users with access to the administration panel with page editing permissions could insert <script> tags in markdown fields, which are exposed on the publicly accessible site pages, leading to potential XSS injections.

Patches

• Formwork 1.13.0 has been released with a patch that solves this vulnerability. Now the system config option content.safe_mode (enabled by default) controls whether HTML tags and potentially dangerous links are escaped. This is configurable as in some cases more flexibility should be given. Panel users should be only a controlled group of editors, which cannot enable the option by themselves, and not a generic group. This mitigates the chance of introducing vulnerabilities.
• Formwork 2.x (6adc302) adds a similar content.safeMode system option. Like Formwork 1.13.0, by default HTML tags and dangerous link are escaped. Even if enabled by an administrator, however, <script> and other dangerous tags are still converted to text, but secure tags are allowed.

References

https://vulners.com/cve/CVE-2024-35621