Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXB4OHYtaHh4eC0ycmdo
Potential Code Injection in Sprout Forms
Impact
A potential Server-Side Template Injection vulnerability exists in Sprout Forms which could lead to the execution of Twig code.
Patches
The problem is fixed inbarrelstrength/sprout-forms:v3.9.0 which upgrades to barrelstrength/sprout-base-email:v1.2.7
Workarounds
Users unable to upgrade should update any Notification Emails to use the "Basic Notification (Sprout Email)" template and avoid using the "Basic Notification (Sprout Forms)" template or any custom templates that display Form Fields.
References
- See the release notes in the CHANGELOG
- Credits to Paweł Hałdrzyński, Daniel Kalinowski from ISEC.PL for discovery and responsible disclosure
For more information
If you have any questions or comments about this advisory:
- Open an issue in the Sprout Forms repo
- Email us at [email protected]
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXB4OHYtaHh4eC0ycmdo
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: over 4 years ago
Updated: almost 2 years ago
CVSS Score: 7.4
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
Identifiers: GHSA-px8v-hxxx-2rgh, CVE-2020-11056
References:
- https://github.com/barrelstrength/craft-sprout-forms/security/advisories/GHSA-px8v-hxxx-2rgh
- https://nvd.nist.gov/vuln/detail/CVE-2020-11056
- https://github.com/barrelstrength/craft-sprout-forms/blob/v3/CHANGELOG.md#390---2020-04-09-critical
- https://github.com/barrelstrength/craft-sprout-base-email/commit/5ef759f4713ede6dbf77c9d9df9f992876e43a49
- https://github.com/advisories/GHSA-px8v-hxxx-2rgh
Blast Radius: 8.0
Affected Packages
packagist:barrelstrength/sprout-forms
Dependent packages: 5Dependent repositories: 11
Downloads: 84,958 total
Affected Version Ranges: < 3.9.0
Fixed in: 3.9.0
All affected versions: 0.7.1, 3.0.0, 3.0.1, 3.0.2, 3.1.0, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.3.6, 3.3.7, 3.3.9, 3.4.0, 3.4.1, 3.4.2, 3.4.3, 3.5.0, 3.5.1, 3.6.0, 3.6.1, 3.6.2, 3.6.4, 3.6.5, 3.6.6, 3.6.7, 3.6.8, 3.6.9, 3.6.10, 3.7.0, 3.7.2, 3.8.0, 3.8.1, 3.8.2, 3.8.3, 3.8.4, 3.8.5, 3.8.6, 3.8.7, 3.8.8
All unaffected versions: 3.9.0, 3.10.0, 3.11.0, 3.11.1, 3.11.2, 3.11.3, 3.11.4, 3.11.5, 3.11.6, 3.11.7, 3.11.8, 3.11.9, 3.12.0, 3.12.1, 3.12.2, 3.13.0, 3.13.1, 3.13.2, 3.13.4, 3.13.5, 3.13.6, 3.13.7, 3.13.8, 3.13.9, 3.13.10, 3.13.11, 3.13.12, 3.13.13, 3.13.14, 3.13.15, 3.13.16, 3.13.17, 3.13.18, 3.13.19, 3.13.20, 3.14.0
packagist:barrelstrength/sprout-base-email
Dependent packages: 4Dependent repositories: 12
Downloads: 90,985 total
Affected Version Ranges: < 1.2.7
Fixed in: 1.2.7
All affected versions: 1.0.0, 1.0.1, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.0.7, 1.0.8, 1.0.9, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.5, 1.1.6, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.2.5, 1.2.6
All unaffected versions: 1.2.7, 1.2.8, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.3.5, 1.3.6, 1.3.7, 1.3.8, 1.3.9, 1.3.10