Engram-Design

Name of the Vulnerable Software and Affected Versions: Formie versions prior to 2.1.44 Description: The issue allows malicious code injection into the HTML content of an email notification, which is then rendered on the preview. This requires access to the form's email notification settings. The problem does not occur when rendering the email via normal means, such as a delivered email. Recommendations: For versions prior to 2.1.44, update to version 2.1.44 to resolve the issue. As a temporary workaround, consider restricting access to the form's email notification settings to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Formie versions prior to 2.1.44 Description: The issue arises when importing a form from JSON into Formie, a Craft CMS plugin for creating forms. If the field label or handle contains malicious content, the output is not correctly escaped when viewing a preview of what is to be imported. This can lead to a cross-site scripting issue. The vulnerability is considered moderate because it primarily affects users who have exported the form from one environment to another and would require direct manipulation of the JSON export. It is noted that this vulnerability will not occur unless someone deliberately tampers with the export. Recommendations: For versions prior to 2.1.44, update to version 2.1.44 to resolve the issue. As a temporary workaround, consider avoiding the import of forms from untrusted JSON sources and ensure that any JSON exports are thoroughly reviewed for malicious content before import. Restrict access to the form import functionality to minimize the risk of exploitation.