Описание
Formwork Cross-site Scripting (XSS) from Page title field
Description
A stored cross-site scripting (XSS) vulnerability in Formwork v1.12.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Page title field.
Only users with access to Administration Panel with page editing permission can inject raw HTML in the Page title field.
Patched versions
This vulnerability has been patched in Formwork 1.13.0.
Пакеты
Наименование
getformwork/formwork
composer
Затронутые версииВерсия исправления
< 1.13.0
1.13.0
Связанные уязвимости
CVSS3: 4.8
nvd
почти 3 года назад
A stored cross-site scripting (XSS) vulnerability in the component /formwork/panel/dashboard of Formwork v1.12.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Page title parameter.