GHSA-fvrh-wrpf-6q7h
Suggest an improvement- Source
- https://github.com/advisories/GHSA-fvrh-wrpf-6q7h
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-fvrh-wrpf-6q7h/GHSA-fvrh-wrpf-6q7h.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-fvrh-wrpf-6q7h
- Aliases
- Published
- 2023-02-10T18:30:32Z
- Modified
- 2024-05-28T14:58:37.827327Z
- Severity
-
- 4.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
- Summary
- Formwork Cross-site Scripting (XSS) from Page title field
- Details
-
Description
A stored cross-site scripting (XSS) vulnerability in Formwork v1.12.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Page title field.
Only users with access to Administration Panel with page editing permission can inject raw HTML in the Page title field.
Patched versions
This vulnerability has been patched in Formwork 1.13.0.
- Database specific
{ "nvd_published_at": "2023-02-10T16:15:00Z", "cwe_ids": [ "CWE-79" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2024-05-28T14:22:30Z" }- References
Affected packages
Packagist / getformwork/formwork
Package
- Name
- getformwork/formwork
- Purl
- pkg:composer/getformwork/formwork
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed1.13.0
Affected versions
0.*
0.6.9
0.6.10
0.6.11
0.6.12
0.7.0
0.7.1
0.7.2
0.8.0
0.8.1
0.9.0
0.9.1
0.9.2
0.9.3
0.9.4
0.9.5
0.9.6
0.10.0
0.10.1
0.10.2
0.10.3
0.10.4
0.10.5
0.11.0
0.11.1
0.11.2
0.12.0
0.12.1
1.*
1.0.0
1.1.0
1.1.1
1.2.0
1.2.1
1.3.0
1.3.1
1.4.0
1.4.1
1.4.2
1.4.3
1.4.4
1.4.5
1.4.6
1.4.7
1.5.0
1.5.1
1.5.2
1.6.0
1.6.1
1.7.0
1.7.1
1.8.0
1.9.0
1.9.1
1.10.0
1.10.1
1.10.2
1.10.3
1.11.0
1.11.1
1.12.0
1.12.1