CVE-2024-37160

Name of the Vulnerable Software and Affected Versions Formwork versions prior to 1.13.1

Description Formwork is a flat file-based Content Management System (CMS) that allows an attacker with administrator privileges to execute arbitrary web scripts by modifying site options via /panel/options/site. This type of attack is suitable for persistence, affecting visitors across all pages (except the dashboard). The issue is a Stored XSS vulnerability, which enables attackers to inject malicious JavaScript or HTML through a crafted payload, achieving persistence and potentially attacking numerous visitors.

Recommendations For versions prior to 1.13.1, update to Formwork 1.13.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the /panel/options/site endpoint to minimize the risk of exploitation. Additionally, avoid using the description field in the site options to prevent potential injection of malicious scripts.