GSA_kwCzR0hTQS1mdnJoLXdycGYtNnE3aM4AAxh2

Moderate EPSS: 0.00087% (0.26433 Percentile) EPSS:

Permalink JSON

Formwork Cross-site Scripting (XSS) from Page title field

Affected Packages	Affected Versions	Fixed Versions
packagist:getformwork/formwork	< 1.13.0	1.13.0
0 Dependent packages 0 Dependent repositories 228 Downloads total Affected Version Ranges All affected versions 0.6.9, 0.6.10, 0.6.11, 0.6.12, 0.7.0, 0.7.1, 0.7.2, 0.8.0, 0.8.1, 0.9.0, 0.9.1, 0.9.2, 0.9.3, 0.9.4, 0.9.5, 0.9.6, 0.10.0, 0.10.1, 0.10.2, 0.10.3, 0.10.4, 0.10.5, 0.11.0, 0.11.1, 0.11.2, 0.12.0, 0.12.1, 1.0.0, 1.1.0, 1.1.1, 1.2.0, 1.2.1, 1.3.0, 1.3.1, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.4.5, 1.4.6, 1.4.7, 1.5.0, 1.5.1, 1.5.2, 1.6.0, 1.6.1, 1.7.0, 1.7.1, 1.8.0, 1.9.0, 1.9.1, 1.10.0, 1.10.1, 1.10.2, 1.10.3, 1.11.0, 1.11.1, 1.12.0, 1.12.1 All unaffected versions 1.13.0, 1.13.1, 1.13.2

Description

A stored cross-site scripting (XSS) vulnerability in Formwork v1.12.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Page title field.

Only users with access to Administration Panel with page editing permission can inject raw HTML in the Page title field.

Patched versions

This vulnerability has been patched in Formwork 1.13.0.

References:

Identifiers

GHSA-fvrh-wrpf-6q7h

CVE-2023-24230

Risk

Severity

Moderate

EPSS

EPSS Percentage: 0.00087

EPSS Percentile: 0.26433

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/getformwork/formwork

Date and time

Published

over 2 years ago

Updated

about 1 year ago

API

JSON

ecosyste.ms

Data

Tools

Indexes

Applications

Experiments

Advisories