26 matches found
CVE-2025-67718
Form.io is a combined Form and API platform for Serverless applications. Versions 3.5.6 and below and 4.0.0-rc.1 through 4.4.2 contain a flaw in path handling which could allow an attacker to access protected API endpoints by sending a crafted request path. An unauthenticated or unauthorized...
CVE-2025-67718
Form.io is a combined Form and API platform for Serverless applications. Versions 3.5.6 and below and 4.0.0-rc.1 through 4.4.2 contain a flaw in path handling which could allow an attacker to access protected API endpoints by sending a crafted request path. An unauthenticated or unauthorized...
CVE-2025-67718 Formio improperly authorized permission elevation through specially crafted request path
Form.io is a combined Form and API platform for Serverless applications. Versions 3.5.6 and below and 4.0.0-rc.1 through 4.4.2 contain a flaw in path handling which could allow an attacker to access protected API endpoints by sending a crafted request path. An unauthenticated or unauthorized...
CVE-2025-67718 Formio improperly authorized permission elevation through specially crafted request path
Form.io is a combined Form and API platform for Serverless applications. Versions 3.5.6 and below and 4.0.0-rc.1 through 4.4.2 contain a flaw in path handling which could allow an attacker to access protected API endpoints by sending a crafted request path. An unauthenticated or unauthorized...
PT-2025-50565
Form.io is a combined Form and API platform for Serverless applications. Versions 3.5.6 and below and 4.0.0-rc.1 through 4.4.2 contain a flaw in path handling which could allow an attacker to access protected API endpoints by sending a crafted request path. An unauthenticated or unauthorized...
Form.io 信息泄露漏洞
Form.io is a combined forms and API platform for serverless applications from US-based Form.io. An information disclosure vulnerability exists in Form.io versions prior to 3.5.6 and 4.0.0-rc.1 through 4.4.2, which stems from a flaw in path handling that could lead an attacker to access a protecte...
CVE-2020-28246
A Server-Side Template Injection SSTI was discovered in Form.io 2.0.0. This leads to Remote Code Execution during deletion of the default Email template URL. NOTE: the email templating service was removed after 2020. Additionally, the vendor disputes this issue indicating this is sandboxed and on...
CVE-2024-34706
Valtimo is an open source business process and case management platform. When opening a form in Valtimo, the access token JWT of the user is exposed to api.form.io via the the x-jwt-token header. An attacker can retrieve personal information from this token, or use it to execute requests to the...
CVE-2024-34706
Valtimo is an open source business process and case management platform. When opening a form in Valtimo, the access token JWT of the user is exposed to api.form.io via the the x-jwt-token header. An attacker can retrieve personal information from this token, or use it to execute requests to the...
JWT Exposure
@valtimo/components is vulnerable to JWT Exposure. The vulnerability is due to a misconfiguration of the Form.io component, which exposes the user's access token JWT to api.form.io via the x-jwt-token header, allowing attackers to retrieve personal information or execute requests to the Valtimo...
@valtimo/components exposes access token to form.io
Impact When opening a form in Valtimo, the access token JWT of the user is exposed to api.form.io via the the x-jwt-token header. An attacker can retrieve personal information from this token, or use it to execute requests to the Valtimo REST API on behalf of the logged-in user. This issue is...
CVE-2024-34706 @valtimo/components exposes access token to form.io
Valtimo is an open source business process and case management platform. When opening a form in Valtimo, the access token JWT of the user is exposed to api.form.io via the the x-jwt-token header. An attacker can retrieve personal information from this token, or use it to execute requests to the...
CVE-2024-34706
Valtimo exposes the user JWT in the x-jwt-token header to api.form.io due to a Form.io component misconfiguration. An attacker with network access to api.form.io and the Valtimo API, and who can read the token TTL (default 5 minutes), can access personal data or perform actions on behalf of the l...
CVE-2024-34706 @valtimo/components exposes access token to form.io
Valtimo is an open source business process and case management platform. When opening a form in Valtimo, the access token JWT of the user is exposed to api.form.io via the the x-jwt-token header. An attacker can retrieve personal information from this token, or use it to execute requests to the...
CVE-2024-34706 @valtimo/components exposes access token to form.io
Valtimo is an open source business process and case management platform. When opening a form in Valtimo, the access token JWT of the user is exposed to api.form.io via the the x-jwt-token header. An attacker can retrieve personal information from this token, or use it to execute requests to the...
PT-2024-26120 · Form.Io +2 · Form.Io +2
Name of the Vulnerable Software and Affected Versions: Valtimo versions prior to 10.8.4 Valtimo versions prior to 11.1.6 Valtimo versions prior to 11.2.2 Description: Valtimo is an open source business process and case management platform. When opening a form in Valtimo, the access token JWT of t...
GHSA-52VJ-MR2J-F8JH Server-Side Template Injection in formio
A Server-Side Template Injection SSTI was discovered in Form.io 2.0.0. This leads to Remote Code Execution during deletion of the default Email template URL. NOTE: the email templating service was removed after 2020. Additionally, the vendor disputes this issue indicating this is sandboxed and on...
Server-Side Template Injection in formio
A Server-Side Template Injection SSTI was discovered in Form.io 2.0.0. This leads to Remote Code Execution during deletion of the default Email template URL. NOTE: the email templating service was removed after 2020. Additionally, the vendor disputes this issue indicating this is sandboxed and on...
CVE-2020-28246
A Server-Side Template Injection SSTI was discovered in Form.io 2.0.0. This leads to Remote Code Execution during deletion of the default Email template URL. NOTE: the email templating service was removed after 2020. Additionally, the vendor disputes this issue indicating this is sandboxed and on...
CVE-2020-28246
A Server-Side Template Injection SSTI was discovered in Form.io 2.0.0. This leads to Remote Code Execution during deletion of the default Email template URL. NOTE: the email templating service was removed after 2020. Additionally, the vendor disputes this issue indicating this is sandboxed and on...