CVE-2024-35191
verbb/formie Server-Side Template Injection for variable-enabled settings
Severity Score
4.4
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
Track
*SSVC
Descriptions
Formie is a Craft CMS plugin for creating forms. Prior to 2.1.6, users with access to a form's settings can include malicious Twig code into fields that support Twig. These might be the Submission Title or the Success Message. This code will then be executed upon creating a submission, or rendering the text. This has been fixed in Formie 2.1.6.
Formie es un complemento de Craft CMS para crear formularios. Antes de 2.1.6, los usuarios con acceso a la configuración de un formulario podían incluir código Twig malicioso en campos compatibles con Twig. Estos podrían ser el título del envío o el mensaje de éxito. Este código luego se ejecutará al crear un envío o al representar el texto. Esto se ha solucionado en Formie 2.1.6.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:Track
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2024-05-10 CVE Reserved
- 2024-05-20 CVE Published
- 2024-05-21 EPSS Updated
- 2024-08-02 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine
CAPEC
References (2)
| URL | Tag | Source |
|---|---|---|
| https://github.com/verbb/formie/commit/90296edf7e707f117e760aa57e70dbd43a854420 | X_refsource_misc | |
| https://github.com/verbb/formie/security/advisories/GHSA-v45m-hxqp-fwf5 | X_refsource_confirm |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|