CVE-2021-32697

Name of the Vulnerable Software and Affected Versions neos/forms versions prior to the version containing the fix for this issue

Description The issue allows a form to be submitted without invoking any validators by crafting a special GET request containing a valid form state. The form state is secured with an HMAC that is still verified, meaning this issue can only be exploited if Form Finishers cause side effects even if no form values have been sent. Form Finishers can be adjusted to only execute an action if the submitted form contains some expected data, or a custom Finisher can be added as the first finisher.

Recommendations For neos/forms, update to a version that includes the fix for this issue, as provided in the patch https://github.com/neos/form/commit/69de4219b1f58157e2be6b05811463875d75c246. As a temporary workaround, consider adjusting Form Finishers to only execute an action if the submitted form contains some expected data. Alternatively, add a custom Finisher as the first finisher to minimize the risk of exploitation.