Formie is a Craft CMS plugin for creating forms. Prior to 2.1.6, users with access to a form's settings can include malicious Twig code into fields that support Twig. These might be the Submission Title or the Success Message. This code will then be executed upon creating a submission, or rendering the text. This has been fixed in Formie 2.1.6.
References
Configurations
No configuration.
History
21 Nov 2024, 09:19
Type | Values Removed | Values Added |
---|---|---|
References | () https://github.com/verbb/formie/commit/90296edf7e707f117e760aa57e70dbd43a854420 - | |
References | () https://github.com/verbb/formie/security/advisories/GHSA-v45m-hxqp-fwf5 - | |
Summary |
|
20 May 2024, 21:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-05-20 21:15
Updated : 2024-11-21 09:19
NVD link : CVE-2024-35191
Mitre link : CVE-2024-35191
CVE.ORG link : CVE-2024-35191
JSON object : View
Products Affected
No product.
CWE
CWE-1336
Improper Neutralization of Special Elements Used in a Template Engine