Headline
GHSA-gx8m-f3mp-fg99: formwork Cross-site scripting vulnerability in Markdown fields
Impact
Users with access to the administration panel with page editing permissions could insert <script> tags in markdown fields, which are exposed on the publicly accessible site pages, leading to potential XSS injections.
Patches
- Formwork 1.13.0 has been released with a patch that solves this vulnerability. Now the system config option
content.safe_mode(enabled by default) controls whether HTML tags and potentially dangerous links are escaped. This is configurable as in some cases more flexibility should be given. Panel users should be only a controlled group of editors, which cannot enable the option by themselves, and not a generic group. This mitigates the chance of introducing vulnerabilities. - Formwork 2.x (6adc302) adds a similar
content.safeModesystem option. Like Formwork 1.13.0, by default HTML tags and dangerous link are escaped. Even if enabled by an administrator, however,<script>and other dangerous tags are still converted to text, but secure tags are allowed.
References
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-35621
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2024-35621
formwork Cross-site scripting vulnerability in Markdown fields
Moderate severity GitHub Reviewed Published May 25, 2024 in getformwork/formwork • Updated May 28, 2024
Package
composer getformwork/formwork (Composer)
Affected versions
< 1.13.0
Impact
Users with access to the administration panel with page editing permissions could insert <script> tags in markdown fields, which are exposed on the publicly accessible site pages, leading to potential XSS injections.
Patches
- Formwork 1.13.0 has been released with a patch that solves this vulnerability. Now the system config option content.safe_mode (enabled by default) controls whether HTML tags and potentially dangerous links are escaped. This is configurable as in some cases more flexibility should be given. Panel users should be only a controlled group of editors, which cannot enable the option by themselves, and not a generic group. This mitigates the chance of introducing vulnerabilities.
- Formwork 2.x (6adc302) adds a similar content.safeMode system option. Like Formwork 1.13.0, by default HTML tags and dangerous link are escaped. Even if enabled by an administrator, however, <script> and other dangerous tags are still converted to text, but secure tags are allowed.
References
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-35621
References
- GHSA-gx8m-f3mp-fg99
- getformwork/formwork@2d92e6d
- getformwork/formwork@6adc302
Published to the GitHub Advisory Database
May 28, 2024
Last updated
May 28, 2024