Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-vf6x-59hh-332f: Formwork has a cross-site scripting (XSS) vulnerability in Site title

Summary

The site title field at /panel/options/site/allows embedding JS tags, which can be used to attack all members of the system. This is a widespread attack and can cause significant damage if there is a considerable number of users.

Impact

The attack is widespread, leveraging what XSS can do. This will undoubtedly impact system availability.

Patches

Details

By embedding "<!–", the source code can be rendered non-functional, significantly impacting system availability. However, the attacker would need admin privileges, making the attack more difficult to execute.

PoC

image

  1. The page where the vulnerability was found, and the attack surface is the Title field. image

  2. I tested accessing the Dashboard page using a regular user account with Firefox, a different browser, and found that it was also affected. image

  3. Additionally, the remaining code was commented out to disrupt the UX/UI, making it difficult to revert the settings.

ghsa
Open in Source
#xss#vulnerability#js#git#firefox

Summary

The site title field at /panel/options/site/allows embedding JS tags, which can be used to attack all members of the system. This is a widespread attack and can cause significant damage if there is a considerable number of users.

Impact

The attack is widespread, leveraging what XSS can do. This will undoubtedly impact system availability.

Patches

  • Formwork 2.x (aa3e9c6) escapes site title from panel header navigation.

Details

By embedding "<!–", the source code can be rendered non-functional, significantly impacting system availability. However, the attacker would need admin privileges, making the attack more difficult to execute.

PoC

  1. The page where the vulnerability was found, and the attack surface is the Title field.

  2. I tested accessing the Dashboard page using a regular user account with Firefox, a different browser, and found that it was also affected.

  3. Additionally, the remaining code was commented out to disrupt the UX/UI, making it difficult to revert the settings.

References

  • GHSA-vf6x-59hh-332f

ghsa: Latest News

GHSA-c85w-x26q-ch87: Formwork improperly validates input of User role preventing site and panel availability
ghsa