Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-33971: Stored XSS from ##FULLFORM##

Formcreator is a GLPI plugin which allow creation of custom forms and the creation of one or more tickets when the form is filled. A probable stored cross-site scripting vulnerability is present in Formcreator 2.13.5 and prior via the use of the use of ##FULLFORM## for rendering. This could result in arbitrary javascript code execution in an admin/tech context. A patch is unavailable as of time of publication. As a workaround, one may use a regular expression to remove < > " in all fields.

CVE
Open in Source
#xss#vulnerability#java#php

Hi team

Summary

A probable Stored XSS is présent in formcreator via the use of the use of ##FULLFORM## for render.

PoC

1 - As admin : create a form with a question classic text field.
2 - As admin : as target description templating description use “##FULLFORM##”
3 - As user : fill the form with the paylod : "><img src=x onerror="alert(1337)" x=x>
4 - As admin : Go to the newly created ticket : https://mysuperglpi.fr/front/ticket.form.php?id=704

Impact

Arbitrary javascript code execution in admin/tech context.

Temporary workaround

Use regex for remove < > " on all field …

Sorry for my english,

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE