Lucene search

Veracode Vulnerability DatabaseVERACODE:47149

HistoryMay 23, 2024 - 12:01 p.m.

Template Injection

2024-05-2312:01:39

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

verbb/formie

template injection

arbitrary code

twig code

4.4 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

7.6 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.1%

JSON

verbb/formie is vulnerable to Template Injection. An attacker can execute arbitrary code by including malicious Twig code into fields that support Twig, such as the Submission Title or the Success Message.

CPENameOperatorVersion
verbb/formiele2.1.5
verbb/formiele2.1.5

CPE	Name	Operator	Version
	verbb/formie	le	2.1.5
	verbb/formie	le	2.1.5

References

github.com/advisories/GHSA-v45m-hxqp-fwf5

github.com/verbb/formie/commit/90296edf7e707f117e760aa57e70dbd43a854420

github.com/verbb/formie/security/advisories/GHSA-v45m-hxqp-fwf5

4.4 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

7.6 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.1%

JSON

Related for VERACODE:47149