CVE-2024-35191

Formie is a Craft CMS plugin for creating forms. Prior to 2.1.6, users with access to a form's settings can include malicious Twig code into fields that support Twig. These might be the Submission Title or the Success Message. This code will then be executed upon creating a submission, or rendering the text. This has been fixed in Formie 2.1.6.
Configurations

No configuration.

History

21 Nov 2024, 09:19

Type Values Removed Values Added
References () https://github.com/verbb/formie/commit/90296edf7e707f117e760aa57e70dbd43a854420 - () https://github.com/verbb/formie/commit/90296edf7e707f117e760aa57e70dbd43a854420 -
References () https://github.com/verbb/formie/security/advisories/GHSA-v45m-hxqp-fwf5 - () https://github.com/verbb/formie/security/advisories/GHSA-v45m-hxqp-fwf5 -
Summary
  • (es) Formie es un complemento de Craft CMS para crear formularios. Antes de 2.1.6, los usuarios con acceso a la configuración de un formulario podían incluir código Twig malicioso en campos compatibles con Twig. Estos podrían ser el título del envío o el mensaje de éxito. Este código luego se ejecutará al crear un envío o al representar el texto. Esto se ha solucionado en Formie 2.1.6.

20 May 2024, 21:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-05-20 21:15

Updated : 2024-11-21 09:19


NVD link : CVE-2024-35191

Mitre link : CVE-2024-35191

CVE.ORG link : CVE-2024-35191


JSON object : View

Products Affected

No product.

CWE
CWE-1336

Improper Neutralization of Special Elements Used in a Template Engine