verbb/formie Server-Side Template Injection for variable-enabled settings
Description
Published to the GitHub Advisory Database
May 20, 2024
Reviewed
May 20, 2024
Published by the National Vulnerability Database
May 20, 2024
Last updated
May 20, 2024
Impact
Users with access to a form's settings can include malicious Twig code into fields that support Twig. These might be the Submission Title or the Success Message. This code will then be executed upon creating a submission, or rendering the text.
This is listed as low-medium severity due to requiring control panel access to edit a form's settings.
Patches
This has been fixed in Formie 2.1.6. Users should ensure they are running at least this version.
References