CVE-2023-24230

Name of the Vulnerable Software and Affected Versions Formwork version 1.12.1

Description A stored cross-site scripting (XSS) vulnerability in the component /formwork/panel/dashboard of Formwork allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Page title parameter. Only users with access to the Administration Panel with page editing permission can inject raw HTML in the Page title field.

Recommendations For Formwork version 1.12.1, update to version 1.13.0 to resolve the issue. As a temporary workaround, consider restricting access to the Administration Panel to minimize the risk of exploitation, and avoid injecting raw HTML in the Page title field until the issue is resolved.