Impact
Users with access to the administration panel with page editing permissions could insert <script> tags in markdown fields, which are exposed on the publicly accessible site pages, leading to potential XSS injections.
Patches
- Formwork 1.13.0 has been released with a patch that solves this vulnerability. Now the system config option
content.safe_mode (enabled by default) controls whether HTML tags and potentially dangerous links are escaped. This is configurable as in some cases more flexibility should be given. Panel users should be only a controlled group of editors, which cannot enable the option by themselves, and not a generic group. This mitigates the chance of introducing vulnerabilities.
- Formwork 2.x (6adc302) adds a similar
content.safeMode system option. Like Formwork 1.13.0, by default HTML tags and dangerous link are escaped. Even if enabled by an administrator, however, <script> and other dangerous tags are still converted to text, but secure tags are allowed.
References
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-35621
Kyokito1412 Reporter
Impact
Users with access to the administration panel with page editing permissions could insert
<script>tags in markdown fields, which are exposed on the publicly accessible site pages, leading to potential XSS injections.Patches
content.safe_mode(enabled by default) controls whether HTML tags and potentially dangerous links are escaped. This is configurable as in some cases more flexibility should be given. Panel users should be only a controlled group of editors, which cannot enable the option by themselves, and not a generic group. This mitigates the chance of introducing vulnerabilities.content.safeModesystem option. Like Formwork 1.13.0, by default HTML tags and dangerous link are escaped. Even if enabled by an administrator, however,<script>and other dangerous tags are still converted to text, but secure tags are allowed.References
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-35621