CVE-2023-24230
MEDIUM4.8EPSS 0.38%Formwork Cross-site Scripting (XSS) from Page title field
Published: 2/10/2023Modified: 5/28/2024
Description
### Description A stored cross-site scripting (XSS) vulnerability in Formwork v1.12.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Page title field. Only users with access to Administration Panel with page editing permission can inject raw HTML in the Page title field. ### Patched versions This vulnerability has been patched in [Formwork 1.13.0](https://github.com/getformwork/formwork/releases/tag/1.13.0).
Affected packages (1)
- Packagist/getformwork/formworkfrom 0, < 1.13.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM4.8 | CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N |