PT-2023-19487 · Formwork · Formwork
Published
2023-02-10
·
Updated
2025-03-24
·
CVE-2023-24230
CVSS v3.1
4.8
Medium
| Vector | AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Formwork version 1.12.1
Description
A stored cross-site scripting (XSS) vulnerability in the component /formwork/panel/dashboard of Formwork allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the
Page title parameter. Only users with access to the Administration Panel with page editing permission can inject raw HTML in the Page title field.Recommendations
For Formwork version 1.12.1, update to version 1.13.0 to resolve the issue. As a temporary workaround, consider restricting access to the Administration Panel to minimize the risk of exploitation, and avoid injecting raw HTML in the
Page title field until the issue is resolved.Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Formwork