Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

github логотип

GHSA-jp3q-wwp3-pwv9

Опубликовано: 22 янв. 2026
Источник: github
Github: Прошло ревью
CVSS4: 2.1

Описание

Freeform Craft Plugin CP UI (builder/integrations) has Stored Cross-Site Scripting (XSS) issue

Summary An authenticated, low-privilege user (able to create/edit forms) can inject arbitrary HTML/JS into the Craft Control Panel (CP) builder and integrations views. User-controlled form labels and integration metadata are rendered with dangerouslySetInnerHTML without sanitization, leading to stored XSS that executes when any admin views the builder/integration screens.

Affected Product

  • Ecosystem: Packagist (Craft CMS plugin)
  • Package: solspace/craft-freeform
  • Version: <= 5.14.6 (latest observed). Likely all 5.x until patched.

Details

  • Root cause: Multiple user-controlled strings (field labels, section labels, integration icons, short names, WYSIWYG previews) are injected into React components using dangerouslySetInnerHTML without sanitization.
  • Evidence: dangerouslySetInnerHTML on user-controlled properties in bundled CP JS at packages/plugin/src/Resources/js/client/client.js.

PoCs

  • Label-based XSS:
    1. In Craft CP, create/edit a Freeform field and set its label to <img src=x onerror="alert('xss-label')">.
    2. Open the form builder view containing the field.
    3. Alert executes (stored XSS).
  • Integration icon SVG:
    1. Set an integration "icon SVG" to <svg><script>alert('xss-icon')</script></svg>.
    2. Open the integrations CP view.
    3. Script executes.

Impact Arbitrary JS in admin CP; session/CSRF token theft; potential full admin takeover via DOM-driven actions.

Remediation

  • Sanitize/HTML-encode all user-controlled strings before passing to dangerouslySetInnerHTML, or avoid it for labels/titles/icons.
  • Server-side: strip/escape disallowed tags on save for fields, integration metadata, WYSIWYG content.
  • Add regression tests with <img onerror> payloads to ensure no execution in builder/integration views.

Workarounds

  • Restrict form-edit permissions to trusted admins only until patched.
  • Consider CSP that disallows inline scripts (defense-in-depth only).

Credits

Disclosure / CVE Request

  • Request CVE for this confirmed stored XSS.

Ссылки

Пакеты

Наименование

solspace/craft-freeform

composer
Затронутые версииВерсия исправления

<= 5.14.6

5.14.7

2.1 Low

CVSS4

Дефекты

CWE-79

2.1 Low

CVSS4

Дефекты

CWE-79