CVE-2024-35191
MEDIUM4.4EPSS 0.22%verbb/formie Server-Side Template Injection for variable-enabled settings
發布日:2024/5/20修改日:2024/5/20
描述
### Impact Users with access to a form's settings can include malicious Twig code into fields that support Twig. These might be the Submission Title or the Success Message. This code will then be executed upon creating a submission, or rendering the text. This is listed as low-medium severity due to requiring control panel access to edit a form's settings. ### Patches This has been fixed in Formie 2.1.6. Users should ensure they are running at least this version.
受影響套件(1)
- Packagist/verbb/formiefrom 0, < 2.1.6
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM4.4 | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N |