Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLW01dngtOGNoeC1xdm1t
Form validation can be skipped
Impact
By crafting a special GET request containing a valid form state, a form can be submitted without invoking any validators.
We consider the severity low because it is not possible to change any form values since the form state is secured with an HMAC that is still verified.
That means that this issue can only be exploited if Form Finishers cause side effects even if no form values have been sent.
Patches
https://github.com/neos/form/commit/69de4219b1f58157e2be6b05811463875d75c246
Workarounds
Form Finishers can be adjusted in a way that they only execute an action if the submitted form contains some expected data.
Alternatively a custom Finisher can be added as first finisher.
References
This regression was introduced with https://github.com/neos/form/commit/049d415295be8d4a0478ccba97dba1bb81649567
Original report: https://tickets.neos.io/#ticket/zoom/411 (internal)
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLW01dngtOGNoeC1xdm1t
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 3 years ago
Updated: 9 months ago
CVSS Score: 6.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Identifiers: GHSA-m5vx-8chx-qvmm, CVE-2021-32697
References:
- https://github.com/neos/form/security/advisories/GHSA-m5vx-8chx-qvmm
- https://github.com/neos/form-ghsa-m5vx-8chx-qvmm/pull/1
- https://github.com/neos/form/commit/69de4219b1f58157e2be6b05811463875d75c246
- https://github.com/neos/form/releases/tag/5.1.3
- https://github.com/neos/form/commit/049d415295be8d4a0478ccba97dba1bb81649567
- https://nvd.nist.gov/vuln/detail/CVE-2021-32697
- https://github.com/FriendsOfPHP/security-advisories/blob/master/neos/form/CVE-2021-32697.yaml
- https://github.com/advisories/GHSA-m5vx-8chx-qvmm
Blast Radius: 12.7
Affected Packages
packagist:neos/form
Dependent packages: 35Dependent repositories: 90
Downloads: 720,633 total
Affected Version Ranges: >= 5.1.0, < 5.1.3, >= 5.0.0, < 5.0.9, >= 1.2.0, < 4.3.3
Fixed in: 5.1.3, 5.0.9, 4.3.3
All affected versions: 1.2.0, 1.2.1, 1.2.2, 1.2.3, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 3.0.0, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.1.0, 4.1.1, 4.1.2, 4.1.3, 4.1.4, 4.1.5, 4.2.0, 4.2.1, 4.2.2, 4.2.3, 4.3.0, 4.3.1, 4.3.2, 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.1.0, 5.1.1, 5.1.2
All unaffected versions: 1.1.0, 4.3.3, 5.0.9, 5.0.10, 5.1.3, 5.1.4, 5.2.0, 5.2.1, 5.2.2, 5.2.3, 5.3.0, 5.3.1, 5.3.2, 5.3.3, 5.4.0, 5.4.1, 5.4.2