Описание
Formwork has a cross-site scripting (XSS) vulnerability in Site title
Summary
The site title field at /panel/options/site/allows embedding JS tags, which can be used to attack all members of the system. This is a widespread attack and can cause significant damage if there is a considerable number of users.
Impact
The attack is widespread, leveraging what XSS can do. This will undoubtedly impact system availability.
Patches
- Formwork 2.x (aa3e9c6) escapes site title from panel header navigation.
Details
By embedding "<!--", the source code can be rendered non-functional, significantly impacting system availability. However, the attacker would need admin privileges, making the attack more difficult to execute.
PoC
-
The page where the vulnerability was found, and the attack surface is the Title field.
-
I tested accessing the Dashboard page using a regular user account with Firefox, a different browser, and found that it was also affected.
-
Additionally, the remaining code was commented out to disrupt the UX/UI, making it difficult to revert the settings.
Пакеты
getformwork/formwork
= 2.0.0-beta.3
2.0.0-beta.4
4.7 Medium
CVSS3
Дефекты
4.7 Medium
CVSS3