Headline
GHSA-v45m-hxqp-fwf5: verbb/formie Server-Side Template Injection for variable-enabled settings
Impact
Users with access to a form’s settings can include malicious Twig code into fields that support Twig. These might be the Submission Title or the Success Message. This code will then be executed upon creating a submission, or rendering the text.
This is listed as low-medium severity due to requiring control panel access to edit a form’s settings.
Patches
This has been fixed in Formie 2.1.6. Users should ensure they are running at least this version.
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2024-35191
verbb/formie Server-Side Template Injection for variable-enabled settings
Moderate severity GitHub Reviewed Published May 18, 2024 in verbb/formie • Updated May 20, 2024
Package
Affected versions
< 2.1.6
Impact
Users with access to a form’s settings can include malicious Twig code into fields that support Twig. These might be the Submission Title or the Success Message. This code will then be executed upon creating a submission, or rendering the text.
This is listed as low-medium severity due to requiring control panel access to edit a form’s settings.
Patches
This has been fixed in Formie 2.1.6. Users should ensure they are running at least this version.
References
- GHSA-v45m-hxqp-fwf5
- verbb/formie@90296ed
Published to the GitHub Advisory Database
May 20, 2024
Last updated
May 20, 2024