CVE-2023-33971
- Source
- https://cve.org/CVERecord?id=CVE-2023-33971
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-33971.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2023-33971
- Aliases
-
- GHSA-777g-3848-8r3g
- Published
- 2023-05-31T17:56:18.413Z
- Modified
- 2026-04-10T05:06:16.700568Z
- Severity
-
- 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
- Summary
- Formcreator vulnerable to stored XSS from ##FULLFORM##
- Details
-
Formcreator is a GLPI plugin which allow creation of custom forms and the creation of one or more tickets when the form is filled. A probable stored cross-site scripting vulnerability is present in Formcreator 2.13.5 and prior via the use of the use of
##FULLFORM##for rendering. This could result in arbitrary javascript code execution in an admin/tech context. A patch is unavailable as of time of publication. As a workaround, one may use a regular expression to remove< > "in all fields. - Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/33xxx/CVE-2023-33971.json", "cwe_ids": [ "CWE-79" ], "cna_assigner": "GitHub_M" }- References
Affected packages
Git / github.com/pluginsglpi/formcreator
Affected versions
0.*
0.84-2.0
0.84-2.1
0.84-2.1.1
0.85-1.0
0.85-1.1
0.85-1.2
0.85-1.2.1
0.85-1.2.2
0.85-1.2.3
0.85-1.2.4
0.90-1.2.5
0.90-1.3
0.90-1.3.1
0.90-1.3.2
0.90-1.3.3
0.90-1.3.4
2.*
2.13.0
2.13.0-alpha.1
2.13.0-alpha.2
2.13.0-alpha.3
2.13.0-alpha.4
2.13.0-beta.1
2.13.0-beta.2
2.13.0-rc.1
2.13.0-rc.2
2.13.1
2.13.3
2.13.4
2.13.5
2.5.2
v2.*
v2.6.4
v2.8.4