Lucene search

GoogleOSV:GHSA-V45M-HXQP-FWF5

HistoryMay 20, 2024 - 8:26 p.m.

verbb/formie Server-Side Template Injection for variable-enabled settings

2024-05-2020:26:28

Google

osv.dev

server-side template injection

variable-enabled settings

twig code execution

submission settings

control panel access

formie 2.1.6

security patches.

CVSS3

4.4

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

AI Score

6.6

Confidence

High

EPSS

Percentile

9.0%

JSON

Impact

Users with access to a form’s settings can include malicious Twig code into fields that support Twig. These might be the Submission Title or the Success Message. This code will then be executed upon creating a submission, or rendering the text.

This is listed as low-medium severity due to requiring control panel access to edit a form’s settings.

Patches

This has been fixed in Formie 2.1.6. Users should ensure they are running at least this version.

References

github.com/verbb/formie

github.com/verbb/formie/commit/90296edf7e707f117e760aa57e70dbd43a854420

github.com/verbb/formie/security/advisories/GHSA-v45m-hxqp-fwf5

nvd.nist.gov/vuln/detail/CVE-2024-35191

CVSS3

4.4

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

AI Score

6.6

Confidence

High

EPSS

Percentile

9.0%

JSON

Related for OSV:GHSA-V45M-HXQP-FWF5